Marianne Kolbasuk McGee, Databreachtoday.com, January 18, 2017
In the final days of the Obama administration, the Department of Health and Human Services has issued its second HIPAA enforcement action for 2017. HHS’ Office for Civil Rights has entered a $2.2 million settlement with a Puerto Rican insurance company in the wake of its investigation of a 2011 breach involving a stolen unencrypted USB drive that affected only about 2,000 individuals.
Sarah L. Bruno, Jade M. Kelly and Lourdes M. Turrecha, Arentfoxadvertising.com, January 19, 2017
On January 9, 2017, Presence Health agreed to settle with the U.S. Department of Health and Human Services (HHS) potential violations under the Breach Notification Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is HHS’ first enforcement action against a covered entity that reported a breach, but did not do so timely
Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 12, 2017
In recent years, more and more companies across a range of industries have fallen victim to cyber attacks, including Sony Pictures, Yahoo!, and LinkedIn; however, we have yet to see a successful large scale breach of a major U.S. financial institution.
Michael Piscopo, Delta-rsik.net, January 12, 2017
It’s a late Saturday morning and Joe Hacker (aka WF4EAK in underground hacking circles) fires up the software-defined radio (SDR) he bought online for $20 to listen in on the local hospital paging traffic. After all, he is trying to make a few extra bucks to buy a new Xbox, and selling healthcare information on the black market has turned into a lucrative side job. Let’s face it, organizations that are strictly following HIPAA guidelines and other healthcare regulations have made it harder to hack into hospitals. So how’s a hacker supposed to get to that protected healthcare information (PHI) to make some fast cash?
FTC Files Complaint Against Device Maker Concerning Alleged Failures to Reasonably Secure Routers and Internet Protocol (IP) Cameras
Buckley Sandler, Infobytesblog.com, January 13, 2017
On January 5, the FTC announced that it was initiating and enforcement action against a Taiwanese computer networking equipment manufacturer and its U.S. subsidiary. In a complaint filed with the Northern District of California, the FTC charged that the device-manufacturer failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. Specifically, the FTC alleged that hackers could exploit these vulnerabilities using any of several “simple methods.”
Marianne Kolbasuk McGee, Healthcareinfosecurity.com, January 9, 2017
In a reminder of HIPAA’s tough requirements for breach notification, federal regulators have issued a $475,000 financial settlement and corrective action plan for Chicago-based Presence Health tied to its tardy notification for a 2013 paper records breach affecting only about 800 individuals.
Charlie Osborne, Zdnet.com, January 10, 2017
Reports that St. Jude Medical devices contained severe security flaws which led to a complicated legal battle between the healthcare equipment provider and MedSec have been vindicated, with the FDA supporting the security firm’s findings and St. Jude finally releasing a patch to fix the flaws.
Michael Kan, Compueterworld.com, January 10, 2017
For better or worse, a security firm’s attempt to cash in on software bugs by shorting a company’s stock and then publicizing the flaws might have pioneered a new approach to vulnerability disclosure.
David Holtzman, Healthcareinfosecurity.com, January 3, 2017
It’s time to dust off the crystal ball to offer predictions for what the Department of Health and Human Services’ Office for Civil Rights might do in 2017 to administer and enforce the HIPAA privacy, security and breach notification rules.