Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.
Continue Reading Data Breaches and HIPAA Enforcement Remain Endemic Amidst the COVID-19 Pandemic

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are

Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go