Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as
Continue Reading Flo Health App Fallout: HIPAA-like Breach Notification Rule Not Enforced by FTC
breach notification rule
HHS Enforces Against County Government in Washington State
Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS…
Continue Reading HHS Enforces Against County Government in Washington State
Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach
SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.
Continue Reading Back to the SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach
A Peek Behind the OCR Wall of Shame
Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a…
Congressional Inquiry or Autopsy for SAIC Breach Disaster? – Part 5
Five members of Congress are co-signers of a bipartisan letter dated December 2, 2011, addressed to the Director of the TRICARE Management Authority to express the Congress members’ “deep concerns about a major breach of personally identifiable and protected health information by TRICARE contractor Science Applications International Corporation (SAIC).”…
Continue Reading Congressional Inquiry or Autopsy for SAIC Breach Disaster? – Part 5
Did Tricare/DoD Make a “Proactive Response” or a Preemptive Strike with SAIC in the PHI Breach Matter? Whose Risk is it Anyway? – Part 4
Given earlier assurances to the “approximately 4.9 million patients treated at military hospitals and clinics during the past 20 years” that the risk of harm was low from the SAIC PHI breach and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether Tricare/DoD’s abrupt about-face as to offering credit monitoring and restoration services relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.
Continue Reading Did Tricare/DoD Make a “Proactive Response” or a Preemptive Strike with SAIC in the PHI Breach Matter? Whose Risk is it Anyway? – Part 4
SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 3
When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.
Continue Reading SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 3
SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 2
Excerpt:
When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.
Continue Reading SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches – Part 2
SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches (With Some Words on the Nemours PHI Breach) – Part 1
When is the mere “ability” to read protected health information (“PHI”), without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Recent PHI security breaches, including that being confronted by the Department of Defense and SAIC, Inc. will provide some information and guidance.
Continue Reading SAIC and Its Military Millions March – Flooding the Parade with Possible PHI Breaches (With Some Words on the Nemours PHI Breach) – Part 1
The Silent Brigade in the Parade of Major Reported PHI Breaches of Security and Privacy: Business Associates
One area that has received relatively little attention from postings of the HHS list of large breaches of unsecured PHI is the extent to which such PHI breaches are reported as attributable to events involving business associates of covered entities.
Continue Reading The Silent Brigade in the Parade of Major Reported PHI Breaches of Security and Privacy: Business Associates