In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.
Password Protected
Latest from Password Protected
Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections
On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and why…
Changes Coming to Rules for Handling Children’s Data
On Dec. 20, 2023, the Federal Trade Commission announced its intent to file a notice of proposed rulemaking related to the Children’s Online Privacy Protection Rule — the first proposed changes to the rule in 10 years.
What are some of the key proposed changes?
- Separate Opt-In for Targeted Advertising. Covered service operators are required
…
Merck Cyberattack Settlement Renews Spotlight on War Exclusions in 2024
Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. Read on for analysis…
New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law
On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).
The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope…
Can Any Data Breach Investigation Report Deserve Protection? Part I
Companies and even law firms suffer data breaches, and usually claim privilege and work product protection for the inevitable resulting investigation. Unfortunately, courts seem to have rejected such protection claims in all but a few cases. Most of the other data breach victims have tried to emulate two of the winners, but have failed.
In…
Can Any Data Breach Investigation Report Deserve Protection? Part II
Last week’s Privilege Point described a data breach victim’s latest losing effort to claim privilege protection for its consultant’s investigation report. Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023). Before bluntly rejecting McMenamins’ privilege claim, the court spent more time analyzing its work product claim before also…
Don’t Forget: It’s Time to Notify the FTC of Your Data Breach
This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.
What is the Safeguards Rule?
The Safeguards Rule, which originally…
Can Any Data Breach Investigation Report Deserve Protection? Part III
The last two Privilege Points have described yet another losing effort to protect a data breach investigation and related communications. In Leonard v. McMenamins Inc., Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023), the court denied the company’s privilege and work product claims — specifically rejecting its efforts to squeeze…
OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows…