HIPAA violations: $2.5 million settlement for US Diagnostics company

First settlement involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.

Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

PrivacyScore checks web sites for privacy issues

“PrivacyScore is open source software and we plan to release all collected datasets for research purposes. Besides running it as a public service, PrivacyScore can also be deployed in-house. This will help DPAs that are faced with the task of enforcing a large number of regulatory requirements specified in the General Data Protection Regulation (GDPR).

https://arxiv.org/pdf/1705.05139.pdf

Tool is at https://privacyscore.org/

Norwegian DPA blocks three smart device vendors from processing customer data

The Norwegian DPA has given Gator AS orders to discontinue all processing of personal information about its customers since they have not provided enough information in the smart bells they provide. In addition, PepCall AS and GPS for children – Smartprodukt AS have been notified of similar decisions.

Use right-click in Chrome to translate:

https://www.datatilsynet.no/aktuelt/2017/palegger-stans-i-behandlingen-av-personopplysninger-i-smartklokker/

Researchers re-identify patients from a de-identified patient data set published by the Australian government

The Australian government published a de-identified open health data set in the past, which contained the patient data of a subset of the Australian population.  – The de-identification process  involved not just stripping direct identifiers, but also adding some inaccuracies to the data set. However, the data set was still at the person-level.

Researchers have been able to successfully re-identify some patients.

Continue reading “Researchers re-identify patients from a de-identified patient data set published by the Australian government”

ICO fines Carphone Warehouse

The U.K. Information Commissioner’s Office has fined Carphone Warehouse 400,000 GBP after a security vulnerability left one of its computer systems compromised in a 2015 cyberattack. In one of the ICO’s largest fines issued to date, Information Commissioner Elizabeth Denham said,

A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”

The investigation revealed attackers gained access via an outdated WordPress software login, leading Denham to call the systemic failures “rudimentary, commonplace measures.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/