Stolen Data Found on Dark Web by New Security Startup
You have been attacked by hackers and they have stolen your data, but how can you tell? According to a new security start-up, discovering a breach of healthcare data can be a very quick process: Terbium Labs has developed a method of identifying stolen data within minutes of it being posted online. CEO of Terbium, Danny Rogers, along with CTO, Michael Moore, believe they have developed a system that takes “a large scale, computational approach to finding pilfered data,” and allows stolen data to be identified faster and more securely than was previously possible. Reducing the Risk of a HIPAA Data Breach In order for a company to identify stolen data, it must first be provided with the confidential records that it needs to search for. This naturally involves some risk. As the past few weeks have shown, passing data to Business Associates increases the risk of a data breach. Medical Management LLC being a good example. Terbium’s new product, called Matchlight, uses an innovative method of identifying data, while ensuring the data the company stores on a HIPAA-covered entity is...
UPMC Data Breach Not Grounds for Class Action Says Judge
A data breach suffered by the University of Pittsburgh Medical Center in 2014 does not give the victims grounds for a class action claim, even though there have been 817 reported cases of tax fraud as a direct result of the data breach. Civil lawsuits filed against healthcare providers often fail because of a lack of evidence that the stolen data has been used inappropriately. Without any actual harm suffered, a claim is very unlikely to succeed. In this case, there was provable losses suffered by some of the victims, but it was not deemed to warrant a class action claim, at least not under the circumstances. The data breach did not involve any patient data, although all 62,000 employees were affected. The initial data breach report stated only 27,000 individuals had been affected; however, that figure has since been expanded and the data breach is now believed to affect all 62,000 employees. The breach affected the company’s payroll database and exposed highly sensitive information about the employees, including names, addresses, Social Security numbers, salary details and in some...
Conn. Data Breach Bill Demands Year of ID Theft Protection for Victims
Gov. Dannel P. Malloy is poised to sign Senate Bill 949 which will introduce even stricter data privacy and security requirements in Connecticut, as well as for any organization doing business with Connecticut residents. The bill has been introduced to increase protection for consumers in the wake of the high volume of data breaches that have affected the state – and the country as a whole – over the past few years. Current state laws require organizations to notify breach victims of an information breach ”without unreasonable delay.” Some organizations, such as those covered under the Health Insurance Portability and Accountability Act (HIPAA), have stricter reporting requirements. Federal laws will continue to preempt state laws on healthcare data breaches. Connecticut Residents to be Better Protected by Mandatory Data Breach Response HIPAA requires covered entities to issue data breach notification letters to all affected individuals “without reasonable delay”, although a maximum time limit of 60 days is allowed. However, some industries do not face the same strict regulations...
Patients Want to Share Their PHI, Says ONC Study
A new study released by the Office of the National Coordinator for Health IT (ONC) this week – Individuals’ Perceptions of the Privacy and Security of Medical Records – suggests that patients are happy with their healthcare data being shared; they just don’t want that information shared with unauthorized individuals. Healthcare Data Privacy Protections under HIPAA The sharing of healthcare data is highly restricted under the Health Insurance Portability and Accountability Act (HIPAA). The information can only be viewed by authorized individuals for the purpose of providing medical care or other essential healthcare purposes such as billing. Protected Health Information (PHI) cannot even be shared for the purposes of medical research, unless the data is first de-identified or patient permission is obtained. This may be about to change, certainly for the purposes of research, but how do patients actually feel about the use of their data by healthcare providers? Do they have concerns about the growth in use of Electronic Health Records (EHRs)? Vaishali Patel, PhD MPH and...
Jocelyn Samuels Questioned on OCR HIPAA Audits
The Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing HIPAA Rules on data privacy, security, and breach notifications. As part of this duty, it is required to conduct HIPAA compliance audits on HIPAA-Covered Entities (CEs) to ensure the legislation is being followed and the Privacy and Security Rules are put into practice. The task is a difficult one. It is hugely labor intensive, and involves the collection and collation of mountains of paperwork and an army of staff to assess compliance. The job requires highly trained personnel, which the OCR has; unfortunately, it just does not have enough of them. The role of the OCR is considerable, with the department required to ensure compliance with a number of legislative acts, in addition to HIPAA. The huge workload, which also includes the issuing of guidance as well as taking enforcement actions and conducting audits, places a considerable strain on the agency’s 650-strong workforce of attorneys, auditors, and staff. Budgetary constraints are a long-running problem with the department, and while...



