Researchers re-identify patients from a de-identified patient data set published by the Australian government

The Australian government published a de-identified open health data set in the past, which contained the patient data of a subset of the Australian population.  – The de-identification process  involved not just stripping direct identifiers, but also adding some inaccuracies to the data set. However, the data set was still at the person-level.

Researchers have been able to successfully re-identify some patients.

Continue reading “Researchers re-identify patients from a de-identified patient data set published by the Australian government”

ICO fines Carphone Warehouse

The U.K. Information Commissioner’s Office has fined Carphone Warehouse 400,000 GBP after a security vulnerability left one of its computer systems compromised in a 2015 cyberattack. In one of the ICO’s largest fines issued to date, Information Commissioner Elizabeth Denham said,

A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”

The investigation revealed attackers gained access via an outdated WordPress software login, leading Denham to call the systemic failures “rudimentary, commonplace measures.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/

UK DPA on security vulerabilities’ impacts and data controllers

In a blogpost for the U.K. Information Commissioner’s Office, Nigel Houlden, head of technology policy, wrote about the impact serious security flaws will have for data controllers.

Drawing upon Google’s Project Zero blog post detailing the security flaws posed by Meltdown and Spectre, Houlden said the ICO “strongly recommend[s] that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency.

Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”

In the post, Houlden said implementing a privacy-by-design approach would help mitigate potential attacks.

https://iconewsblog.org.uk/2018/01/05/meltdown-and-spectre/

HIPAA settlement – Fresenius pays $3.5 million USD

Quotes from linked page below


CR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.

FMC Ak-Chin failed to implement policies and procedures to address security incidents.

FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.

FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.

FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/FMCNA/index.html.

US Health Breach Notification Rule

While  HIPAA is well-known, there are also obligations under the FTC’s Health Breach Notification Law..

From the linked page below:

“Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.” [..]

https://www.ftc.gov/tips-advice/business-center/guidance/health-breach-notification-rule