Data Breach

US Department of Health and Human Services fines Arizona provider $100,000 for HIPAA violations

In a rare enforcement action of HIPAA, HHS fined an Arizona health care provider $100,000 for a variety of HIPAA violations, especially regarding electronic exchanges of protected health information. The HHS document outlining the reasons for the fine should act as a wake-up call to health care providers using public email, calendaring, and other tools for communication of ePHI. HHS specifically noted that the fined health care provider did not conduct an adequate risk assessment prior to using the email and Internet tools. The full HHS document is a must-read for health care providers. WPF has been warning about the need for full e-risk assessments since 2005 and strongly advocates for medical-identity-theft-specific risk assessments.

WPF requests more information about Ceridian data breach and the FTC complaint process

Data breach — The World Privacy Forum filed comments with the Federal Trade Commission regarding its consent decree against Ceridian regarding a substantial data breach. WPF has requested that the Commission present more facts in the case to the public, and has also requested more clarity about the FTC complaint process, noting that it is not a transparent process for the public.

Public Comments: May 2011 – WPF requests more information about Ceridian data breach and the FTC complaint process

The World Privacy Forum filed comments with the Federal Trade Commission regarding its consent decree against Ceridian regarding a substantial data breach. WPF has requested that the Commission present more facts in the case to the public, and has also requested more clarity about the FTC complaint process, noting that it is not a transparent process for the public.

GSK Breach Letter

Consumers receive breach letters — Pharmaceutical manufacturer GSK, maker of drugs Paxil, Boniva, Advair, and many others, sent a letter to consumers who had registered on one or more of its product websites. Due to the Epsilon data breach, registrants’ names, email, and the product they registered for was breached. Information people give to a company via a pharmaceutical product web site such as this is not usually covered under HIPAA. See our Patient’s Guide to HIPAA for more on what is covered under HIPAA and what is not. WPF recommends that consumers use a “throwaway” or temporary email address if deciding to register at a Pharmaceutical product web sites.