Resolution Agreement Requires Medical Imaging Company to Pay $3 Million to Settle Data Breach

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services revealed on May 6, 2019 that Tennessee-based Touchstone Medical Imaging (TMI) entered into a Resolution Agreement (RA) requiring them to pay a $3 million fine to settle a data breach that exposed over 300,000 patients’ protected health information (PHI). In addition to the significant monetary fine, TMI must adopt a corrective action plan that will address shortfalls in the company’s compliance with HIPAA Security and Breach Notification Rules, which is…
Continue reading...

Health Industry Cybersecurity Practices

Earlier this year the Department of Health and Human Services issued a report that in part detailed practices hospitals can use to avoid cyberattacks against the health care industry. The genesis of the report was the Cybersecurity Act of 2015 (CSA) and more specifically, section 405(d). That section calls for “aligning health care industry security approaches.” The forward to the report provides that “industry and government came together under the auspices of the 405(d) task group…focused on building a set of voluntary, consensus-based principles to…
Continue reading...

There is Still Hope for Federal Privacy Legislation, but it May be Delayed

Highly-publicized data breaches and frequent scandals involving the collection and sale of personal data have made online privacy a bipartisan issue. Lawmakers have proposed a number of solutions. One of those proposals is a bill to create rules governing online privacy, headed by Democratic Senators Richard Blumenthal, Brian Schatz, and Maria Cantwell, and Republican Senators Jerry Moran, Roger Wicker, and John Thune. Republicans evidently hope to complete a draft of the bill by the end of May so it can be introduced, debated, and voted…
Continue reading...

Breach Settlements Are Helpful Cybersecurity Reminders

Over the past month, a number of high-profile cybersecurity settlements have been reported. These cases continue to remind companies to take steps both to secure personal data and sensitive materials, including data stored by third-party vendors, as well as to conduct a prompt and comprehensive forensic investigation into any incident to ensure both a factually correct determination, and, if necessary, timely notice to impacted individuals. On April 18, 2019, a multi-million dollar class-action settlement out of Washington State University was approved relating to the theft…
Continue reading...

Walking Back Spokeo: Does the 11th Circuit Make Data Breach Standing Even Easier?

In the context of data-breach litigation, Article III standing has historically been a hurdle for the plaintiffs’ bar. This “standing hurdle” is more than just an oxymoronic phrase.  And after the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), many believed that would be data-breach plaintiffs would find it even more difficult to establish Article III standing.  Under Spokeo, the data breach plaintiffs are required to show an “injury-in-fact” that is “concrete and particularized” and “actual or imminent, not…
Continue reading...

Citrix Falls Victim to Password Spraying Attack

On March 6, the FBI alerted Citrix that cyber criminals accessed at least six terabytes of data stored on its servers. The data theft is particularly concerning because Citrix’s products and services are used by the vast majority of Fortune 500 companies, as well as by governments and militaries. The company, however, states that there is no indication that the security of any Citrix product or service was compromised in the attack. The hackers likely used a technique called password spraying to gain access. Password spraying is the…
Continue reading...

Vermont’s “Data Brokers” Law is a Glimpse into the Future for Many Industries

Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to…
Continue reading...

National Counterintelligence and Security Center Launches Effort to Protect Industry Against State Actors

On January 7, 2019, the National Counterintelligence and Security Center (NCSC), which coordinates counter-intelligence efforts within the U.S. government, announced that it would begin disseminating its “Know the Risk, Raise Your Shield” materials in an effort to assist the private sector in guarding against threats from foreign intelligence entities and other adversaries.  This campaign appears to have been prompted by the Trump administration’s efforts to drive U.S. companies to better protect their trade secrets from foreign hackers.  This comes on the heels of recent cyber-attacks…
Continue reading...

Pennsylvania Federal Court Dismisses Law Firm’s Case Against Bank in Social Engineering Cyber Attack

The unfortunately reality of cyber theft is that it’s much like any other type of theft – even if the criminal is caught, it’s unlikely that the ill-gotten gains will ever be fully recovered. There are simply too many ways to hide their destination or make them disappear. This often means the victim will seek other avenues for recouping losses, including filing a civil action against entities or individuals who allegedly could have helped prevent the theft. In the case of O’Neill, Bragg & Staffin,
Continue reading...

Long-struggling ‘Google Plus’ Social Network to be Shutdown after Security Breach Affects 500,000

On Monday, October 8, 2018 Google disclosed a security breach it discovered months ago that put at risk the personal data of hundreds of thousands of Google Plus users. In March, Google discovered, and fixed, the bug that allowed outside software developers to gain access to personal information on Google Plus users, including names, email addresses, ages, occupations and relationship status. The company’s decision to not immediately report the software bug has some concerned that Google cannot be relied on to protect privacy. Google…
Continue reading...