policy gaps – Privacy Design® / [protecting people by good design, solid security, efficient processes and trusted services] Wed, 07 Nov 2018 21:11:28 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 /wp-content/uploads/2018/02/cropped-favicon-32x32.jpg policy gaps – Privacy Design® / 32 32 Bavaria DPA Dashboard on inspections (planned, ongoing, completed) /2018/11/07/bavaria-dpa-dashboard-on-inspections-planned-ongoing-completed/ Wed, 07 Nov 2018 21:10:02 +0000 /?p=647 incl. completed online inspection of 172 wordpress web sites planned, e.g. inspections around data deletion in SAP, questionnaires, detailed expectations on controls, ..

https://www.lda.bayern.de/de/kontrollen

]]> [UK/India] – Health Company Fined by UK’s ICO /2018/02/25/uk-india-health-company-fined-by-uks-ico/ Sun, 25 Feb 2018 08:25:23 +0000 /?p=376 Continue reading "[UK/India] – Health Company Fined by UK’s ICO"

]]>
  • Subcontractor based in India to process sensitive personal data without adequate data processing / data transfer grounds
  • Lack of contractual definition of adequate technical and organisational measures in India
  • Sensitive personal data (with high severity) sent via unencrypted email
  • Sensitive personal data on  FTP server without restricted access controls
  • Patient found his/her data via Internet search

    • https://www.hldataprotection.com/2017/03/articles/international-eu-privacy/health-company-fined-by-uks-information-commissioner-office/

    ]]>         HIPAA violations: $2.5 million settlement for US Diagnostics company /2018/02/21/hipaa-violations-2-5-million-settlement-for-us-diagnostics-company/ Wed, 21 Feb 2018 10:01:33 +0000 /?p=180 Continue reading "HIPAA violations: $2.5 million settlement for US Diagnostics company"

    ]]>     First settlement involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

    In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.

    Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

    ]]>