On June 24, 2010, the European Union's body that addresses data protection issues, the so-called Article 29 Working Party, adopted Opinion 2/2010 (the “Opinion”) providing further clarification on the amended e-Privacy Directive (below) as applied to online behavioral advertising. The Working Party also issued a press release on this topic.
Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies. There has been much heat generated by the Directive and the Opinion, and little light. Our friends at Osborne Clarke have published an excellent overview.
Read Regulating Online Behavioural Advertising for some insight into the discussion. U.S.-based online businesses will need to start paying close attention to this - the global nature of the Internet means that the actions of the Article 29 Working Party will have significant ripple effects here.
Friday, July 30, 2010
HHS Withdraws Breach Notification Final Rule (but breach notification still effective)
Interesting press release from the Department of Health and Human Services (HHS) relating to the HITECH Breach Notification Final Rule. The Interim Final Rule is still effective, but one can't help but wonder what HHS may be reconsidering given the numbers of breaches reported since September 2009.
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.
Wednesday, July 28, 2010
Improper Disposal Costs Rite Aid $1 Million
Written by Dianne Bourque
Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient information. Rite Aid and several other retail pharmacies in cities throughout the United Sates were highlighted in the report.
The improper disposal of patient labels violates the HIPAA Privacy Rule (not the security rule, because the labels are paper) and exposes patients to the risk of identity theft and other crimes.
In addition to paying the $1 million resolution amount to OCR, Rite Aid has agreed to implement “a strong corrective action program” including:
· Revising its policies and procedures related to the disposal of PHI and sanctioning workers who do not follow them
· Training workforce members on new policies and procedures
· Conducting internal monitoring
· Engaging a qualified, independent third party assessor to review its compliance efforts and report to HHS
A link to the resolution agreement is available here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidres.pdf
Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient information. Rite Aid and several other retail pharmacies in cities throughout the United Sates were highlighted in the report.
The improper disposal of patient labels violates the HIPAA Privacy Rule (not the security rule, because the labels are paper) and exposes patients to the risk of identity theft and other crimes.
In addition to paying the $1 million resolution amount to OCR, Rite Aid has agreed to implement “a strong corrective action program” including:
· Revising its policies and procedures related to the disposal of PHI and sanctioning workers who do not follow them
· Training workforce members on new policies and procedures
· Conducting internal monitoring
· Engaging a qualified, independent third party assessor to review its compliance efforts and report to HHS
A link to the resolution agreement is available here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidres.pdf
Tuesday, July 13, 2010
Analysis of Proposed HHS Regulations Implementing HITECH Act
As promised last week in an earlier post, here is our first Mintz Levin client advisory analyzing the 234 pages of regulations issued on Thursday by the Department of Health and Human Services. Thanks to colleagues Alden Bianchi, Dianne Bourque and Stephen Bentfield.
The regulations are slated to be published in the Federal Register tomorrow, which will trigger the start of the 60-day comment period. We will continue to post further analysis of these regulations and discussion relating to particular points of interest. Stay tuned.
The regulations are slated to be published in the Federal Register tomorrow, which will trigger the start of the 60-day comment period. We will continue to post further analysis of these regulations and discussion relating to particular points of interest. Stay tuned.
Australian Privacy Commissioner Concludes Google Breached Privacy Act
Written by Jillian Collins
Australian Privacy Commissioner Karen Curtis has concluded her investigation into Google's collection of unsecured WiFi payload data in Australia using Street View vehicles and finds that such collection violated Australian law.
"On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act,” she said. "Collecting personal information in these circumstances is a very serious matter. Australians should reasonably expect that private communications remain private.”
For its part, Google has promised to publish an apology to Australians for its collection of unsecured WiFi 'payload' data. Google will also conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information and regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.
The apology, posted on the official Google Australia blog, states in part:
“To be clear, we did not want and have never used any payload data in our products or services--and as soon as we discovered our error, we announced that we would stop collecting all WiFi data via our Street View vehicles and removed all WiFi reception equipment from them…
We want to reiterate to Australians that this was a mistake for which we are sincerely sorry. Maintaining people's trust is crucial to everything we do and we have to earn that trust every single day. We are acutely aware that we failed badly here.”
Google admitted in May that it had collected certain WiFi content information--known as "payload data"--in some 33 countries, including in Australia, with special equipment mounted on its Street View photographic image collection vehicles.
Google may not get away so easily in other countries for the privacy breach. German authorities are leading an investigation that may result in criminal penalties, there is a class-action lawsuit against the company in the U.S., and Federal Trade Commission has said it will "a very close look" at the company's behavior. In some other countries, including Britain, Germany, France, and Italy, authorities have demanded that Google hand over the payload data so that it can be used in possible legal cases against the company.
Related Links:
http://www.businessweek.com/technology/content/jul2010/tc2010079_071459.htm
http://www.smh.com.au/technology/technology-news/google-wifi-snooping-broke-the-law-privacy-watchdog-20100709-103eh.html
Google’s apology: http://google-au.blogspot.com/2010/07/were-sorry.html
Statement from the Australian Privacy Commissioner: http://www.privacy.gov.au/materials/a-z?fullsummary=7103
Australian Privacy Commissioner Karen Curtis has concluded her investigation into Google's collection of unsecured WiFi payload data in Australia using Street View vehicles and finds that such collection violated Australian law.
"On the information available I am satisfied that any collection of personal information would have breached the Australian Privacy Act,” she said. "Collecting personal information in these circumstances is a very serious matter. Australians should reasonably expect that private communications remain private.”
For its part, Google has promised to publish an apology to Australians for its collection of unsecured WiFi 'payload' data. Google will also conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information and regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.
The apology, posted on the official Google Australia blog, states in part:
“To be clear, we did not want and have never used any payload data in our products or services--and as soon as we discovered our error, we announced that we would stop collecting all WiFi data via our Street View vehicles and removed all WiFi reception equipment from them…
We want to reiterate to Australians that this was a mistake for which we are sincerely sorry. Maintaining people's trust is crucial to everything we do and we have to earn that trust every single day. We are acutely aware that we failed badly here.”
Google admitted in May that it had collected certain WiFi content information--known as "payload data"--in some 33 countries, including in Australia, with special equipment mounted on its Street View photographic image collection vehicles.
Google may not get away so easily in other countries for the privacy breach. German authorities are leading an investigation that may result in criminal penalties, there is a class-action lawsuit against the company in the U.S., and Federal Trade Commission has said it will "a very close look" at the company's behavior. In some other countries, including Britain, Germany, France, and Italy, authorities have demanded that Google hand over the payload data so that it can be used in possible legal cases against the company.
Related Links:
http://www.businessweek.com/technology/content/jul2010/tc2010079_071459.htm
http://www.smh.com.au/technology/technology-news/google-wifi-snooping-broke-the-law-privacy-watchdog-20100709-103eh.html
Google’s apology: http://google-au.blogspot.com/2010/07/were-sorry.html
Statement from the Australian Privacy Commissioner: http://www.privacy.gov.au/materials/a-z?fullsummary=7103
Monday, July 12, 2010
No Harm, No Foul; Ninth Circuit Affirms Dismissal of Data Breach Case Against The Gap
Written by Kevin McGinty
It’s a distressingly common scenario. A corporate laptop containing job applicant data, including social security numbers, is stolen from an employee who has taken the laptop off of corporate premises. Access to the social security numbers makes it possible for wrongdoers to engage in identity theft. Is an applicant’s fear that data will be misused enough to support claims for negligence and breach of contract against the company? The federal Ninth Circuit Court of Appeals has joined a growing number of courts in answering that question in the negative. In Ruiz v. Gap, Inc., the court held that California law requires actual damages to support claims for negligence and breach of contract, and that time and effort that the applicant allegedly expended to monitor for identity theft were insufficient to constitute actual damages. The court reached similar conclusions as to the claim under California’s consumer protection statute and, significantly, the claim for invasion of privacy. As to the latter, the court ruled that increased threat of a breach of privacy does not constitute an actual invasion of privacy.
None of this is to say that a company is immune from state law liability and can simply elect to do nothing when a data breach occurs. Although not detailed in the Ninth Circuit’s decision, The Gap took affirmative steps to protect applicants from potential harm arising from theft of their data. Not only did The Gap notify the applicants about the theft of the computer containing their personal information, but it also offered to provide twelve months of credit monitoring and fraud assistance without charge, plus $50,000 worth of identity theft insurance. The lesson of the Ruiz decision is that companies that do take reasonable steps to mitigate against potential misuse of stolen data will have a strong defense against further liability. It also reinforces the commonsense proposition that has bedeviled many attempts to parlay data breaches into class actions – the mere threat of bad consequences is not the same as actually suffering bad consequences. Thieves generally steal computers because they want the hardware, not the data. The loss of a computer containing personal data does not inevitably mean that such data will be misused. As such, claims arising from data breaches are unlikely to succeed unless there has also been identity theft and resulting adverse consequences for individuals whose identities have been stolen.
It’s a distressingly common scenario. A corporate laptop containing job applicant data, including social security numbers, is stolen from an employee who has taken the laptop off of corporate premises. Access to the social security numbers makes it possible for wrongdoers to engage in identity theft. Is an applicant’s fear that data will be misused enough to support claims for negligence and breach of contract against the company? The federal Ninth Circuit Court of Appeals has joined a growing number of courts in answering that question in the negative. In Ruiz v. Gap, Inc., the court held that California law requires actual damages to support claims for negligence and breach of contract, and that time and effort that the applicant allegedly expended to monitor for identity theft were insufficient to constitute actual damages. The court reached similar conclusions as to the claim under California’s consumer protection statute and, significantly, the claim for invasion of privacy. As to the latter, the court ruled that increased threat of a breach of privacy does not constitute an actual invasion of privacy.
None of this is to say that a company is immune from state law liability and can simply elect to do nothing when a data breach occurs. Although not detailed in the Ninth Circuit’s decision, The Gap took affirmative steps to protect applicants from potential harm arising from theft of their data. Not only did The Gap notify the applicants about the theft of the computer containing their personal information, but it also offered to provide twelve months of credit monitoring and fraud assistance without charge, plus $50,000 worth of identity theft insurance. The lesson of the Ruiz decision is that companies that do take reasonable steps to mitigate against potential misuse of stolen data will have a strong defense against further liability. It also reinforces the commonsense proposition that has bedeviled many attempts to parlay data breaches into class actions – the mere threat of bad consequences is not the same as actually suffering bad consequences. Thieves generally steal computers because they want the hardware, not the data. The loss of a computer containing personal data does not inevitably mean that such data will be misused. As such, claims arising from data breaches are unlikely to succeed unless there has also been identity theft and resulting adverse consequences for individuals whose identities have been stolen.
Thursday, July 8, 2010
REMINDER - HITECH/201 CMR 17.00 Compliance Workshop
Just a reminder of the FREE upcoming data security compliance workshop - Space is limited, so register today at http://tinyurl.com/35pk3yr!
On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We'll have an interactive hands-on workshop that will help you to address some critical questions within your organization:
What are my organization and business partner’s obligations?
What kind of information do I need to protect and how do identify it?
Is data encryption necessary?
What is a WISP?
What is a data breach and what is my responsibility and liability if I have one?
On July 13, Mintz Levin will be joined by Sophos, Six Weight Consulting, and MFA Cornerstone Consulting to hold a free compliance workshop focused on both the gaps and overlap of Massachusetts’ data protection regulation 201 CMR 17.oo and the recent updates to federal health and medical data privacy found in the HITECH Act. We'll have an interactive hands-on workshop that will help you to address some critical questions within your organization:
What are my organization and business partner’s obligations?
What kind of information do I need to protect and how do identify it?
Is data encryption necessary?
What is a WISP?
What is a data breach and what is my responsibility and liability if I have one?
First Ever State-initiated HIPAA Enforcement Action Settled
Written by Dianne Bourque
Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net's agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected individuals, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
As we reported in this space, Blumenthal sued Health Net and its affiliates after they allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Blumenthal also alleged that Health Net failed to promptly notify consumers endangered by the breach even after learning that the disk drive was stolen.
The Health Net case is the first action by a state attorney general for HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.
The full text of the settlement is available here:
http://www.ct.gov/ag/lib/ag/fraud/soctvhealthnetstipjudgment.pdf
Connecticut Attorney General Richard Blumenthal has settled the first state-initiated HIPAA enforcement action. The settlement totals $250,000 in statutory damages and Health Net's agreement to implement a variety of measures to improve the security of consumer health and personal information. Health Net also agreed to provide two years of credit monitoring to affected individuals, $1 million of identity theft insurance and reimbursement for the costs of security freezes.
As we reported in this space, Blumenthal sued Health Net and its affiliates after they allegedly lost a computer disk drive in May 2009 containing protected health and other private information on more than 500,000 Connecticut residents and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information. Blumenthal also alleged that Health Net failed to promptly notify consumers endangered by the breach even after learning that the disk drive was stolen.
The Health Net case is the first action by a state attorney general for HIPAA violations since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.
The full text of the settlement is available here:
http://www.ct.gov/ag/lib/ag/fraud/soctvhealthnetstipjudgment.pdf
HHS (Finally!) Issues Proposed HIPAA Privacy & Security Rule Changes
The long-awaited proposed changes to the HIPAA Privacy Rules have finally been released by the Department of Health and Human Services (HHS).
A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today. We urge consumers, providers, and other stakeholders to read these proposals and offer comments during the 60-day comment period, which will officially open on July 14, 2010. Information about posting comments will be available at http://www.regulations.gov.”
The 234 pages of proposed regulations can be found at Notice of Proposed Rulemaking to Implement HITECH Act Modifications and we are in the process of reviewing these regulations to provide our readers with further information.
A joint statement issued today by the HHS and the Office of Civil Rights (OCR) says that the proposed regulations “would expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today. We urge consumers, providers, and other stakeholders to read these proposals and offer comments during the 60-day comment period, which will officially open on July 14, 2010. Information about posting comments will be available at http://www.regulations.gov.”
The 234 pages of proposed regulations can be found at Notice of Proposed Rulemaking to Implement HITECH Act Modifications and we are in the process of reviewing these regulations to provide our readers with further information.
Thursday, July 1, 2010
Data Breaches du Jour
Information regarding the latest reports of data breaches -- common thread: it is taking a startingly long time for entities to (a) discover that they have been breached, and (b) to then take action to notify affected customers of potential compromises to personal information.
Update on Major Data Breach at California Health Insurer
Updating a previous blog post (link) from Monday, WellPoint, the country's largest health insurer, has now sent notice to 470,000 members and applicants for individual health insurance nationwide informing them of a breach to a web site used by individuals to apply for insurance and track the status of their applications. The web site system run by WellPoint subsidiary Anthem Blue Cross of California was allegedly manipulated by attorneys looking to bolster a class action lawsuit against the insurer. WellPoint indicated that although the breach may have affected 230,000 California customers as previously reported, data for other applicants could have been obtained and accessed by anyone merely by altering the URL, thus prompting the additional notices.
While initially saying that personal information was unsecure for "a relatively short period of time," WellPoint now explains that five months passed before the company learned in March that a failed security update to the Anthem web site left customers' data vulnerable.
Related Link:
http://www.govinfosecurity.com/articles.php?art_id=2690
Unencrypted Patient Information Goes Missing from NY Hospital
A New York hospital is notifying some 130,000 patients that their personal information may have been compromised. Patient information stored on seven CDs belonging to New York's Lincoln Medical and Mental Health Center was lost in transit after a hospital contractor shipped them, Bloomberg reports. The unencrypted data includes Social Security numbers, dates of birth, drivers' license numbers and procedure information. In a letter sent to victims earlier this month, the hospital suggested the CDs may have been displaced at a shipping facility and destroyed.
Yet another good example for encryption of all PHI and PI in transit.
Related Link:
http://www.businessweek.com/idg/2010-06-29/new-york-hospital-loses-data-on-130-000-via-fedex.html
Update on Major Data Breach at California Health Insurer
Updating a previous blog post (link) from Monday, WellPoint, the country's largest health insurer, has now sent notice to 470,000 members and applicants for individual health insurance nationwide informing them of a breach to a web site used by individuals to apply for insurance and track the status of their applications. The web site system run by WellPoint subsidiary Anthem Blue Cross of California was allegedly manipulated by attorneys looking to bolster a class action lawsuit against the insurer. WellPoint indicated that although the breach may have affected 230,000 California customers as previously reported, data for other applicants could have been obtained and accessed by anyone merely by altering the URL, thus prompting the additional notices.
While initially saying that personal information was unsecure for "a relatively short period of time," WellPoint now explains that five months passed before the company learned in March that a failed security update to the Anthem web site left customers' data vulnerable.
Related Link:
http://www.govinfosecurity.com/articles.php?art_id=2690
Unencrypted Patient Information Goes Missing from NY Hospital
A New York hospital is notifying some 130,000 patients that their personal information may have been compromised. Patient information stored on seven CDs belonging to New York's Lincoln Medical and Mental Health Center was lost in transit after a hospital contractor shipped them, Bloomberg reports. The unencrypted data includes Social Security numbers, dates of birth, drivers' license numbers and procedure information. In a letter sent to victims earlier this month, the hospital suggested the CDs may have been displaced at a shipping facility and destroyed.
Yet another good example for encryption of all PHI and PI in transit.
Related Link:
http://www.businessweek.com/idg/2010-06-29/new-york-hospital-loses-data-on-130-000-via-fedex.html
Continuing Data Breach Over Eight Year Period Exposes Personal and Medical Records of Students at University of Maine Counseling Center
According to the Auburn-Lewiston Sun Journal, the University of Maine Police Department is investigating a data breach that exposed nearly 5,000 students' personal and medical information. Starting in 2002 and spanning eight years, hackers accessed the UMaine counseling center database, the Sun Journal reports. The database stored information including names, Social Security numbers and clinical information. The university has hired a company to monitor the credit of those potentially affected, though there is no indication the hacked data has been viewed or used. "This is a serious breach and we are profoundly sorry that this has happened," said a university spokesman.
Related Link:
http://www.sunjournal.com/state/story/870870
Subscribe to:
Posts (Atom)
Posts
