Categories
Health Law Highlights

Ransomware Attack on Texas Ophthalmology Practice Exposes Data of 80,000 Patients

Summary of article from The HIPAA Journal, by Steve Adler:

A Texas-based ophthalmology practice, encompassing Victoria Surgery Center, Victoria Eye Center, and Victoria Vision Center, was hit by a ransomware attack on March 21, 2024, compromising the personal and health data of 80,122 patients. The attack encrypted files, making certain systems inaccessible, and an investigation confirmed unauthorized access to patient data. Names, addresses, and medical identification details were among the compromised information. Affected individuals have been notified and offered a year of credit monitoring and identity theft protection services. In another incident, Texas Panhandle Centers, a Certified Community Behavioral Health Clinic, disclosed an unauthorized access to its systems in October 2023, potentially exposing the data of 16,394 patients.

Categories
Health Law Highlights

Health Plan Services Firm Notifying 2.4 Million of PHI Theft

Summary of article from GovInfo Security, by Marianne Kolbasuk McGee:

Texas-based health plan administration services firm, WebTPA, is notifying over 2.4 million individuals about a hacking incident that occurred in 2023, which was detected in December of the same year. The breach potentially compromised personal data including names, contact information, birthdates, Social Security numbers, and insurance details. WebTPA has offered two years of free identity and credit monitoring services to those affected and has bolstered its network security. The delay in identifying and responding to the breach highlights the challenges organizations face in incident response and breach analysis. This incident is the third-largest breach reported in 2024 and emphasizes the increasing targeting of business associates that provide administrative services to health plans and other healthcare sector entities.

Categories
Health Law Highlights

Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation

Summary of article from Wyrick Robbins Yates & Ponton LLP, by Lynn Percival IV:

In December 2021, the Federal Trade Commission (FTC) began a rulemaking process to update the Health Breach Notification Rule (HBNR), which mandates notice following a security breach of unsecured personal health records. The FTC has now finalized these updates, expanding the definition of a “breach of security” to include unauthorized uses and disclosures of health information. The updated rule also broadens the terms “personal health records” and “PHR identifiable health information,” potentially encompassing more websites, apps, and data repositories. The definition of “PHR related entity” has also been clarified, expanding the types of organizations subject to the rule. The updated rule will be effective 60 days after its publication in the Federal Register, with violations potentially resulting in significant civil penalties.

Categories
Health Law Highlights

FTC Finalizes Changes to Health Breach Notification Rule

Summary of article from Fierce Healthcare, by Heather Landi:

The Federal Trade Commission (FTC) has finalized the revised Health Breach Notification Rule (HBNR) to enhance data privacy protection for consumers using digital health apps. The rule mandates vendors managing digital health records to notify individuals, the FTC, and sometimes the media, of any breach of unsecured personally identifiable health data. The data includes traditional health information, data from fitness trackers, and “emergent health data” such as health information inferred from location data and health-related purchases. The rule also obligates third-party service providers to notify vendors of personal health records following a breach discovery. The rule will be effective 60 days after its publication in the Federal Register.

Categories
Health Law Highlights

Kaiser Permanente Notifying 13.4 Million of Tracker Breach

Summary of article from Gov Info Security, by Marianne Kolbasuk McGee:

Kaiser Foundation Health Plan reported a data breach affecting 13.4 million individuals due to unauthorized access/disclosure from its previous use of online tracking technologies on its websites and mobile applications. Personal information potentially transmitted to third-party vendors like Google, Microsoft Bing, and Twitter includes IP addresses, names, account sign-in information, website navigation data, and search terms. No sensitive information like usernames, passwords, Social Security numbers, or financial account details were disclosed. Kaiser Permanente has since removed these online technologies and implemented measures to prevent such incidents in future. Despite no known misuse of the personal information, the organization will notify affected individuals directly in May out of caution.