Written by: Sam Crochet, Esq.

In-house counsels are facing growing pressure to perform risk assessments and address internal policies to avoid data breaches for a new reason (as if they needed one). Data breach plaintiffs, depending on the state, may now find their cases welcome in state courts despite struggling to prove a clear “injury” in federal court. The Supreme Court’s 2016 Spokeo v. Robins decision established a plaintiff’s federal court “standing” necessitated actual injury as opposed to mere statutory violation. The Spokeo decision led many in-house counsels to believe lack of an “injury in fact” could prevent Plaintiffs from pursuing data breach lawsuits. However, recently, the 9th Circuit Court backed an Ikea shopper’s argument her zip-code-collection claim against the retail giant should simply remain in state court as opposed to disappear altogether despite failing to show a real injury. The three judge panel decided concrete harm had not been shown by the Ikea shopper, but that she could have a second bite of the apple in state court, where the statute or general “standing” law might be different.

The decision reveals the key issue from the Spokeo ruling is not about whether a case can be brought, but actually where that case can be brought. This is a concept Plaintiff’s attorneys have been preaching for the better part of a year and one that now seems to be gaining more steam. In our experience, state statutes often grant discretion in ordering civil penalties against data breach defendants. My belief is any admission in federal court by a plaintiff regarding lack of an injury (which they might do to “save” their case and send it to state court as mentioned above) should be used vigorously by defense attorneys to persuade state judges to order nominal penalties in this kind of scenario.

The Ikea decision shows oftentimes a data breach plaintiff will receive a second bite at the apple in state court due to Spokeo’s double edged sword. At Hall Booth Smith, we counsel our clients to keep the big picture in mind so we can help them develop strategies in light of this potential consequence. This approach allows them to drastically reduce the risk of civil penalties down the line. Regardless, this trend is concerning and underscores the fact the best defense is for companies to always be proactive in performing a well-tailored yearly risk analysis that is fully compliant with the many industry specific rules, from an experienced data privacy/security attorney.

Written by: Richard Sheinis, Esq.

A mistake is nothing more than an opportunity to learn. Of course, you have to take advantage of that opportunity. Children’s Medical Center of Dallas failure to take that opportunity has led to a HIPAA civil monetary penalty of $3.2 million. In 2010, Children’s filed a report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry at the Dallas/Fort Worth Airport on November 19, 2009. The BlackBerry had the ePHI of 3,800 individuals.

In 2013, Children’s filed another breach report with OCR in which they reported the theft of an unencrypted laptop. The laptop contained the ePHI of 2,462 individuals. An OCR investigation revealed Children’s failed to implement a risk management plan, despite a recommendation to do so, and they failed to implement encryption on all laptops, work stations, mobile devices and removable media until after the laptop was stolen. Children’s failure to implement encryption procedures, despite experiencing a similar breach involving an unencrypted mobile device several years earlier, was obviously a key factor in HHS levying such a large monetary penalty.

This is a great example of how a hacker or outside source was not the problem. The problem was Children’s failure to do the easy things, a risk management plan and encryption, that led to the penalty. Any health care provider can avoid these mistakes and penalties with a basic HIPAA risk analysis, a risk management plan, and learning from the mistakes of others. Actually, the risk analysis and risk management plan are specifically required by HIPAA regulations, “learning from the mistakes of others” is my regulation!

Written by: Richard Sheinis, Esq.

Vizio, Inc., one of the world’s largest manufacturers of internet connected televisions has agreed to pay $2.2 million to settle charges by the Federal Trade Commission and the New Jersey Attorney General that it installed software on its TVs to collect viewing data on 11 million consumer TVs without the consumers’ knowledge.

Vizio TVs have a “Smart Interactivity” feature which enabled the collection of consumers’ second by second viewing data, including video from consumer cable, broadband, DVD, over the air broadcasts and streaming devices.  Even worse, Vizio facilitated appending  demographic information to the viewing data, including age, sex, income marital status, household size, education level, home ownership, and household value, and then sold this information to third parties, according to FTC allegations.

Here is my question, how much money did Vizio make by selling this information to third parties?  Isn’t a $2.2 million fine a drop in the bucket to one of the world’s largest TV manufacturers?

Compiled by: Richard Sheinis, Esq.

MLB Fines Cardinals $2 Million for Computer Hack
St. Louis Business Journal

Major League Baseball on Monday afternoon ordered the St. Louis Cardinals to pay $2 million and turn over two 2017 draft selections to the Houston …

Hackers Steal 2.5 Million PlayStation and Xbox Players’ Details in Major Breach
Telegraph.co.uk

PlayStation and Xbox gamers are at risk of having had their private information stolen following a data breach involving 2.5 million accounts. Hackers …

Hackers Take Over a Hotel’s Computer System, Lock Guests in Rooms and Hold Hotel to Ransom
Tech2

We’ve all seen those movies where hackers need just a laptop and an internet connection to take over the world and disrupt our lives. It’s likely that …

Master Hacker Infiltrated the Israel Defence Forces’ Drones System so Hamas Could Spy on its Troops
The Sun

The court was told how the computer expert hacked the IDF’s drones hovering over Gaza, enabling Hamas commanders to view the drone video feed.

US Attorney: Cyber Crime is a Multi-Billion Global Business
Minuteman News Center

Ms. Richards serves as Assistant U.S. Attorney in the District of Connecticut and Computer Hacking and Intellectual Property (CHIP) Coordinator for …

British Hoteliers Warned of Rise in Cyber Attacks
TravelMole

Two luxury hotels in Cornwall have become victims of cyber attacks, which are increasingly common at British hotels, according to a new report.

NY Attorney General Schneiderman Settles Data Breach Investigation
The National Law Review

The data breach, first reported in June, 2016, involved data for over 35,000 customers throughout the United States, Canada and Puerto Rico, …

Hospitals as Cyber-Targets: How to Prepare for the Inevitable Data Breach
Cardiovascular Business

Just a month after one California hospital paid a $17,000 ransom to end a cyberattack, three more medical centers in the state were hit by hackers.

Five Arrested for Hacking into ATMs and Stealing $3.2 Million
PC World

A year ago, researchers from antivirus vendor Kaspersky Lab warned about three cybercriminal groups that hacked into banks’ computer networks.

Cockrell Hill Police Lose Years Worth of Evidence in Ransom Hacking
KHOU.com

After consulting with the FBI’s Cyber Division, Barlag said the department decided not to pay the ransom demand, which was made electronically and …

Why the EU data Protection is a Game Changer for Hoteliers
ITProPortal

With the GDPR on the horizon, and stricter penalties for serious data breaches, there is added impetus for hoteliers to bolster data security processes.

Complied by: Richard Sheinis, Esq. 

2016 Healthcare Data Breaches Largely From Employee Error
HealthITSecurity.com

The business industry had a total of 494 reported data breaches, while … Healthcare data breaches also exposed the most Social Security numbers, …

Three Medical Data Breaches Expose 242600 Patients’ PHI
eSecurity Planet

The exposed data includes names, Social Security numbers, birth dates, contact details, medical record numbers and/or clinical information.

Argyle I.S.D. Employees Hit With Data Breach
NBC 5 Dallas-Fort Worth

District leaders say on Wednesday, an employee got a “phishing” email that appeared to be from the district superintendent.

Rsync Errors Lead to Data Breach at Canadian ISP, KWIC Internet
CSO Online

Misconfigured Rsync instances across multiple servers has led to a data breach at a Canadian ISP, exposing sensitive information and affecting all of …

3rd Circuit Says Spokeo Can’t Kill Data Breach Class Actions
Reuters

In Friday’s Horizon ruling, which delves more deeply into Spokeo analysis, the 3rd Circuit said the data breach plaintiffs had “at least as strong” a basis …

CoPilot Provider Support Services Notifies 220,000 Patients of Data Breach from 2015
Healthcare IT News

An unauthorized user downloaded patient files containing personal information and for some, Social Security numbers. No reason was given for the …

Ohio State Veterinary Medical Center at Dublin Hit with Possible Data Breach
OSU – The Lantern

A malware infection is to blame for a security breach that could put the personal information of up to 4,611 clients of the Ohio State Veterinary Medical …

Mapco Express Pays $1.9 Million in Data Breach Settlement
JD Supra (Press Release)

Two banks alleged that Mapco had lax security measures, which caused the breach causing the banks to reissue payment cards to affected …

Lloyds a Victim of Cyber Attack that Hit Banking Services
Reuters UK

Lloyds a victim of cyber attack that hit banking services … law enforcement agencies to trace who may be behind a cyber attack that caused intermittent …

SEC Probing Yahoo Over Previously Disclosed Cyber Breach
CNBC

The U.S. Securities and Exchange Commission is investigating a previously disclosed data breach at Yahoo, the company said in a filing. Yahoo said …

Popeyes Restaurants Suffer Data Breach
LowCards.com

CCC Restaurant Enterprises, LLC, the company that operates Popeyes Louisiana Kitchen, announced a data security breach that could have affected …

Appeals Court Vacates Horizon BCBS Data Breach Case
HealthITSecurity.com

A US Appeals Court recently ruled that it disagreed with the previous Horizon BCBS data breach decision, saying the complaint should not have been …

‘Upskirt’ Porn Website The Candid Board Hit With Data Leak Exposing 180,000 Users
International Business Times UK

Troy Hunt, a security expert who manages breach notification website HaveIBeenPwned, has uploaded the data to his service, however it will only be …

7th Circuit: You Can’t Sue Over Personal Data Unless it’s at Risk
Reuters

I told you last week about an emerging consensus among the federal circuits that, under Spokeo’s definition of constitutional standing, data breach …

Written by: Richard Sheinis, Esq.

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) has agreed to a $2.2 million settlement with MAPFRE Life Insurance Company of Puerto Rico for potential non-compliance with the HIPAA Security Rule. MAPFRE filed a report with HHS stating a “pen drive” containing ePHI of 2,209 individuals was stolen from its IT department. OCR’s investigation revealed MAPFRE had failed to conduct a HIPAA required risk analysis, failed to implement a risk management plan, and failed to encrypt PHI on its laptops or removable storage media. MAPFRE then failed to implement corrective measures it told OCR it would take. In addition to paying $2.2 million, MAPFRE agreed to a corrective action plan.

I have told many health care providers the fact that a breach occurred will not automatically result in a fine from OCR. OCR recognizes that breaches can occur even when the Security Rule is followed. However, if OCR finds that a health care provider snubbed its nose at HIPAA Security Rule compliance prior to the breach, and failed to take appropriate corrective action after the breach, then the provider has something to worry about. Security Rule compliance is really not that difficult. You just need a plan. It might seem daunting at first, but like the saying goes, every journey begins with the first step.

Compiled by: Richard Sheinis, Esq.

MAPCO to Pay $1.9M to Settle Data Breach Claims
CSNews Online

MAPCO Express Inc. will pay $1.9 million in a settlement over data security breaches at multiple stores, according to media reports. A Tennessee …

Supreme Court Issues Notice to Centre, Facebook, WhatsApp Over Data Protection
India.com

The petitioner told the Supreme Court that WhatsApp has become a utility service and user data needs to be safeguarded. A petition filed before the …

Data Breach at Sentara Healthcare
The Charlottesville Newsplex

ALBEMARLE COUNTY, Va. (NEWSPLEX) — Thousands of Sentara patients may have been impacted by a data breach at a third-party vendor…

Cellebrite Loses 900GB of Customer Data in Breach of Old Server
PC Authority

Israeli security company Cellebrite has suffered a data breach of its website, and as much as 900GB of information has been stolen. Cellebrite …

Indian Banks are Waking Up to a New Kind of Cyber Attack
Economic Times

MUMBAI: Hackers recently infiltrated the systems of three government-owned banks – two headquartered in Mumbai and one in Kolkata – to create …

Appeals Court Sides with UPMC Over Data Breach Lawsuit
Pittsburgh Post-Gazette

A panel of three Pennsylvania Superior Court judges has upheld a Common Pleas ruling that UPMC was not negligent following a data breach …

Investigation After Barts Health Trust Hit By Cyber Attack
Evening Standard

An urgent investigation has been launched after London’s largest health trust was hit by a cyber attack. Barts Health Trust, which runs four hospitals in …

Swiss-US Privacy Shield Framework Approved
GlobalComplianceNews

On January 11, 2017, the US and Swiss authorities announced their agreement on a new cross-border data transfer framework, the Swiss-US Privacy …

Uber’s Transit Data Could Make Driving Better for Everyone
Chicago Daily Herald

Sharing data could help build some goodwill in cities, said Linda Bailey, … the feature down after complaints that the site violated people’s privacy).

Student Hacker Faces 10 Years In Prison For Infecting 16000 Computers With Spyware
Techworm

Zachary Shames, 21, a student hacker from Great Walls, Virginia, pleaded writing and selling custom spyware designed to monitor a victim’s …

Ramirez to Resign From FTC
SC Magazine

Known as a tough regulator who’s used her agency’s consumer protection … guidance and enforcement for the Internet of Things (IoT) and big data.

$28000 Bitcoins Paid By Los Angeles Valley College As Ransom For Cyberattack [Video]
University Herald

Los Angeles Valley College is yet another victim to a cyberattack late last month. This move disrupted computer systems, email, and voice mail at the …

Health Insurance Data Breach Affects Thousands in Delaware
NBC 10 Philadelphia

Thousands of people in Delaware are victims of a data breach, and their medical records are now at risk. Police are now worried that people don’t …

Vera Bradley Taking Action to Address Potential Data Breach Involving Payment Cards at Stores
Sherwood Daily

Vera Bradley (VRA) said it is investigating a potential security breach involving customer data at its retail stores over the summer. The company said it …

Human Resources Notifies Employees of Data Breach
Military Technologies

Although the system was compromised for less than 30 minutes, data … Georgia Tech Cyber Security quickly intervened to stop the breach and has …

Arizona Cybersecurity Incident the Latest in a Growing List of Attempts
Government Technology

In a positive turn in their investigation of the latest attempt to hack a state computer system, Arizona officials said Russian hackers weren’t behind the …

Written by: Richard Sheinis, Esq.

The importance of timely reporting breaches of Protected Health Information (“PHI”) is now underscored by the U.S. Department of Health and Human Services (“HHS”) first ever enforcement action against a medical provider for failing to timely report a breach. Presence Health, a health care network with approximately 150 locations, including hospitals, and long-term care and senior living facilities, has agreed to pay $475,000, and implement a corrective action plan for failing to notify patients within 60 days of discovering the breach.

The breach involved the loss of paper operating room schedules, which contained the PHI of 836 patients. The PHI included names, dates of birth, medical record numbers, and information about the procedures performed on each patient. The incident was discovered on October 22, 2013, but Presence Health did not file their breach notification report with HHS until 101 days later on January 31, 2014.

In addition to the $475,000 penalty, Presence Health’s corrective action plan requires them to revise policies and procedures, provide training to employees, and provide reports to HHS regarding its compliance with these requirements. Health care providers should remember that any breach affecting 500 or more individuals requires notification to patients, as well as notification to prominent media outlets, and the filing of the breach notification report with HHS “without unreasonable delay”, but in no case more than 60 days after the discovery of the breach.

Compiled by: Richard Sheinis, Esq.

Anthem’s Historic 2015 Health Records Breach Was Likely Ordered by a Foreign Government
Fortune

… were tasked with conducting a nationwide examination of the breach. Information security firm Mandiant was also hired by Anthem to conduct its …

US Warns of ‘Imminent’ Cyberattack Threat on Electrical Grid
CNET

“Widespread disruption of electric service because of a transmission failure initiated by a cyberattack at various points of entry could undermine U.S. …

Russia Engineered Election Hacks and Meddling in Europe
USA Today

Russia’s alleged use of computer hacking to interfere with the U.S. presidential election fits a pattern of similar incidents across Europe for at least a …

FTC Sues Home Router Maker Over Security Flaws
CyberScoop

D-Link products put the personal cybersecurity and private data of … The agency’s legal actions over poor cybersecurity or data protection have …

Legal Team for NC Man Guilty of Hacking Say CIA Director Left ‘Door Wide Open
News & Observer

One of his lawyers, Marina Medvin, said in a statement Friday that Liverman and his fellow hackers didn’t just “crack” into a computer. “What they also …

Anthem Cyberattack Perpetrated by Foreign Government, Officials Say
Healthcare IT News

The hacker who targeted Anthem in early 2015, exposing more than 78 million … “This was one of the largest cyber hacks of an insurance company’s …

Why Proving the Source of a Cyberattack is so Damn Difficult
CNN

Bruce Schneier is a security technologist and chief technology officer of Resilient Systems Inc. His latest book is “Data and Goliath: The Hidden Battles …

Student Charged in Cyber Attack on 304 Computers at University of Alberta
CTV News

EDMONTON — A University of Alberta student is facing numerous charges after a cyber-attack on university computers. The university says on Nov.

Philippines’ Commission on Elections Found Liable for Data Breach
Enterprise Innovation

The Philippines’ National Privacy Commission (NPC) has found the Commission on Elections (Comelec) liable for the data breach at its voter …

Compiled by: Richard Sheinis, Esq.

Data Downer: Hackers Will Grow Increasingly Bold in 2017
Los Angeles Times

A few weeks ago, Yahoo reported what is believed to be the single largest security breach ever — 1 billion user accounts potentially accessed in …

FDA Guidelines for Medical Device Cybersecurity Call for All-Out Fight Vs. Hacking
Minneapolis Star Tribune

If you want to prevent computer hackers from attacking medical devices, it’s not enough to just design the best device you can before shipping it out the …

US Government Subcontractor Leaks Confidential Military Personnel Data
ZDNet

based contractor Booz Allen Hamilton was the source of the data. … lead security researcher of the MacKeeper Security Center, who found the data, …

Trading Card Maker Topps Hit by Security Breach in 2016
Engadget

Topps, the iconic maker of Star Wars, Frozen and various sports-related trading cards, has just notified its customers of security breaches that …

Nevada Data Breach Exposes Information of Nearly 12k Medical Marijuana Dispensary Applicants
Becker’s Hospital Review

A cyberattack on Nevada’s medical marijuana program database exposed the personal information of approximately 11,700 individuals, according to …

Pakistan Automotive Giant PakWheels Hacked, 700k Accounts Stolen
Hack Read

The inside information came from data breach notification website LeakedSource who told HackRead that the data breach took place before October …

InterContinental Hotels Investigates Credit Card Data Breach
LowCards.com

The sources told Krebs they were seeing fraud patterns on debit and credit cards that suggested a breach at IHG properties, particularly Holiday Inn …