According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.
Linn Freedman is chair of the firm’s Data Privacy + Security Team. She is also an active member of firm’s Health Law Group, education practice, Environmental + Utilities Group, Insurance + Reinsurance Group, and Business Litigation Group. Her practice focuses on data privacy and security law, responses to data breaches, compliance with federal and state privacy and security laws, breach notification laws, and assisting clients with regulatory investigations.
Ms. Freedman is experienced in providing counsel to health care organizations, Regional Health Information Organizations, and privacy and security issues related to interoperability of electronic health records. She has litigated complex cases, including privacy cases, and class action data breach litigation in state, federal, and appellate courts, government investigations, and serves as general counsel of the Rhode Island Quality Institute. Read her full rc.com bio here.
Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.…
A federal district court in Montana has confirmed that HIPAA precludes a private right of action for patients to claim an unauthorized access, use, or disclosure of protected health information. Nonetheless, the court denied the defendant covered entity’s motion to dismiss the complaint, holding that the plaintiff could move forward with state-specific claims of invasion of privacy, negligence, negligent infliction of emotional distress, and violation of Montana’s Consumer Protection Act because the federal law does not bar the suit under state law. The court held that, although HIPAA does not allow private lawsuits to be brought for unauthorized disclosure of health information, it does not preempt state law remedies that offer stronger protections than HIPAA.
Continue Reading No Private Right of Action under HIPAA, but State Law Claims May Still be Asserted
The Office for Civil Rights (OCR) recently announced that it has entered into the 20th settlement under its Right of Access Initiative. The settlement with Children’s Hospital and Medical Center in Nebraska includes an $80,000 payment by the hospital for failing to provide a mother with timely access to her daughter’s medical records.
In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,…
The Office for Civil Rights (OCR) last week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.
The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.
Continue Reading OCR Announces Settlement with Clinical Lab for Alleged HIPAA Violations
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
Continue Reading Excellus Health Plan Pays $5.1M to OCR in Settlement Following Data Breach
The Office for Civil Rights (OCR) recently settled a tenth case under its right-to-access initiative with California-based Riverside Psychiatric Medical Group (RPMG), for $25,000.
Although a relatively small settlement in the amount paid, it shows that the OCR is taking patients’ requests for access to their medical records seriously, and that no complaint is too small to investigate and enforce.
Continue Reading OCR’s Tenth Right to Access Settlement Is Small but Meaningful
The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani, an otolaryngologist (ENT) practicing in Regal Park, New York, included a payment of $15,000, a corrective action plan and two years of monitoring by the OCR.
Continue Reading OCR Settles Another Right-of-Access Initiative Case
New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for a data breach that occurred in 2016.
According to the press release, the AG alleged that Wakefern violated HIPAA and the New Jersey Consumer Fraud Act (CFA) by “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers” in its Kingston and Millville ShopRite stores.
Continue Reading ShopRite Settles with New Jersey AG for Data Breach