Privacy and Data Security

On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency.  Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.
Continue Reading HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency

“New York Settles EmblemHealth Breach for $575,000,” is a reprint of an article first posted on the Sheppard Mullin Eye on Privacy blog on March 15, 2018. EmblemHealth is one of the United States’ largest nonprofit health plans. It is headquartered in New York City, New York.

New York Settles EmblemHealth Breach for $575,000

The recent $575,000 settlement with EmblemHealth signals a push from AG Schneiderman “for stronger security laws and hold[ing] businesses accountable for protecting their customers’ personal data.” Noting New York’s “weak and outdated” security laws, AG Scheiderman used the settlement to urge for the swift passage of the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) introduced by his office in November 2017, which would make New York one of the most protective states in terms of data privacy and security.
Continue Reading New York Settles EmblemHealth Breach for $575,000

This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. Hospitals and healthcare entities in the UK and elsewhere were particularly hard hit and continue struggling to recover, with doctors around the world blocked from access to patient files and multiple emergency room and even entire-hospital shut-downs. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

Big name companies, government agencies and individuals are all falling victim to “ransomware” attacks in record and still-rising numbers. Recently, Hollywood Presbyterian Hospital’s communications capabilities were disabled for 10 days before the hospital paid a ransom of 40 bitcoins – about $17,000 – and regained access to its system. And this week Medstar Health, a system of ten major hospitals in the Washington, DC area, reportedly suffered a similar attack. All this activity has led experts to label 2016 as “the year of ransomware.”  And this new form of cyberattack requires a different approach to cybersecurity and incident recovery than your data breach prevention plan.
Continue Reading Be Alert: Ransomware Attacks on the Rise