HHS-OCR Closes 2017 with Six Figure Settlement in PHI Data Breach Impacting Over 2 Million Individuals
Posted on January 24, 2018
At the end of last year the Department of Health and Human Services – Office for Civil Rights announced its resolution agreement and settlement with 21st Century Oncology for $2.3 million. The company, which billed itself as the largest operator of cancer treatment centers in the world, filed for bankruptcy in May of 2017. OCR’s press release of the breach settlement stated that 21st Century Oncology was twice notified by the FBI in 2015 that patient information had been illegally obtained and was being sold. Following notice, the company determined through an internal investigation that the attacker may have accessed its network SQL database through the remote desktop protocol in early October of 2015 and that 2,213,597 individuals were potentially impacted. Information accessed included names, dates of birth, social security numbers, physicians’ names, diagnoses, treatments, and insurance information. OCR’s subsequent investigation revealed that the company failed to conduct a thorough security risk assessment; failed to implement appropriate security measures; failed to implement audit logs, access reports, or security incident tracking reports to track system activity; and disclosed protected health information to third party vendors without a written business associate agreement. In addition to the monetary settlement, the company must “complete a risk analysis and risk management plan, revise policies and procedures, educate its workforce on policies and procedures, provide all maintained business associate agreements to OCR, and submit an internal monitoring plan.”
This joins ten other resolution agreements published by OCR in 2017, totaling $19,393,000 in monetary settlements. The healthcare industry continues to be a lucrative target for security breaches, despite increased awareness around cybersecurity. We expect healthcare breaches taking a top spot in breaches this year.
PUTTING IT INTO PRACTICE: The settlements from 2017 are a reminder to the health care industry to remain prepared. “An ounce of prevention is worth a pound of cure:” we anticipate that OCR will continue to penalize those organizations that do not implement reasonable privacy and security policies and procedures and continually assess their security risks.
SEC
SEC Issues $1 Million Identity Theft Rule Fine
Posted on October 22, 2018
The Securities and Exchange Commission recently settled with Voya Financial Advisors, Inc. for alleged violation of Regulation S-ID (otherwise known as the Identity Theft Red Flags Rule) and Regulation S-P (otherwise known as the Safeguards Rule). According to the SEC, Voya had failed to implement a written identity theft program as required of broker-dealers and investment advisors by the Identity Theft Red Flags Rule, and failed to have written policies and procedures to protect customer records and information as required by the Safeguards Rule. Specifically, in April 2016 intruders impersonated Voya independent contractors and contacted the company’s technical support line. They asked for a reset of the contractors’ passwords, which support staff did, giving them temporary passwords over the phone. The bad actors used these credentials to gain access to the company’s proprietary web portal. The portal contained personally identifiable information of Voya customers, and according to the SEC the bad actors were able to access personal information for at least 5,600 of Voya’s customers. This information included address, date of birth, last four digits of Social Security numbers, and email addresses. And, for at least 2,000, full Social Security number or other government-issued ID number. Voya was contacted by one of the targeted contractors, who said that he had gotten an email about a password change, but he had not requested the change. After receiving this alert
                    Eye on Privacy 2018 Year in Review 44