Healthcare entities and their vendors should be prepared to show evidence to regulators of how they've implemented "recognized security practices," or RSPs, says Robert Booker, chief strategy officer of HITRUST. "You've got to demonstrate that you align with a framework."
Federal regulators hit Banner Health, which operates hospitals and other care facilities in multiple states, with a $1.25 million HIPAA settlement in the wake of a 2016 hacking incident that affected nearly 3 million individuals. Banner Health will also implement a corrective action plan.
A Midwest specialty medical care clinic has reported to regulators a health data breach affecting 134,000 patients involving one of its critical partners' previous use of Meta Pixel and Google tracking codes embedded in its websites and patient portals.
An update to acquisition regulations within the Department of Veterans Affairs says that contractors have one hour to report a security and privacy incident. The clock starts ticking after the incident has been discovered. The department says the rule change only codifies an existing requirement.
Shields Health Care Group, a Massachusetts-based medical imaging services provider, is facing two class action lawsuits filed this week - a consolidated federal case and a similar, separate case filed in state court - both in the wake of the same 2022 data breach affecting 2 million individuals.
As regulators push healthcare entities and vendors to make it easier for patients to access their electronic health information, organizations must balance compliance with the prevention of potential security breaches, says attorney David Holtzman of HITprivacy LLC.
Hacking and third-party business associate incidents were the crux of the largest health data breaches reported to federal regulators in 2022, foreshadowing the top risks and threats that will likely plague healthcare entities and their vendors in the new year, as well.
Many of the major health data breaches being reported to regulators reflect a variety of poor practices by business associates, including retaining sensitive patient information for much longer than necessary, says Kate Borten, president of The Marblehead Group.
A Kansas-based vendor is notifying nearly 250,000 patients that their payment card and other personal information may have been compromised in a hacking incident that dates back to 2019 and involves its colonoscopy prep kit online retail business.
Potential regulatory policy moves by the federal government could help healthcare entities dedicate more resources to bolstering their cybersecurity efforts, says Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council.
Cybercriminals are becoming bolder in their attacks on healthcare entities and in how they're compromising patient data - and that's a very worrisome trend, says Nicholas Heesters of the Department of Health and Human Services' Office for Civil Rights.
Federal regulators have kicked off the New Year with a $16,000 HIPAA penalty against an Atlanta-based medical testing laboratory for failure to provide timely access to a patient records request. The settlement is the 43rd HHS enforcement action in these types of disputes.
In the latest legal volley between the Federal Trade Commission and Kochava, the FTC is asking a federal court to dismiss a "preemptive" lawsuit filed by the data broker last summer, weeks before the regulatory agency filed an enforcement action against the firm alleging data privacy violations.
A Utah-based senior healthcare firm paid a $200,000 settlement to two state attorneys general after it delayed reporting a 2019 data breach by 10 months. The breach affected 14,500 individuals and included Social Security numbers and medical treatment information.
The prospect of class action lawsuits being filed in the aftermath of a major data breach often has more impact on breached healthcare organizations than the potential for fines and enforcement actions by government regulators, says attorney Jeff Westerman of Westerman Law Corp.