All posts in Data Security

Cartoon: Data Breach Notification

Daniel Solove
Founder of TeachPrivacy

Cartoon Data Beach Notification - TeachPrivacy Security Awareness Training 02 small

This cartoon is about data breach notification.  All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe.  And, as is often said in data security, it’s not whether a breach will happen, but when . . .

Continue Reading

Increasing State HIPAA Enforcement: Highlights from 2018

Daniel Solove
Founder of TeachPrivacy

State HIPAA Enforcement - increasing 02

There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA.

An article in Data Breach Today discusses a number of state HIPAA enforcement cases.  Here are some of the ones discussed:

Massachusetts — $75,000 settlement with McLean Hospital for a data breach involving 1,500 victims based on an employee who routinely took home unencrypted backup tapes with PHI.  From the state press release:

The AG’s complaint alleges that McLean, a psychiatric hospital in Belmont, allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center that the hospital possessed. The tapes contained personal information such as names, social security numbers, diagnoses and family histories. When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others.

New Jersey — $100,000 settlement with EmblemHealth for a 2016 breach involving 81,000 victims.  Details from the state’s press release:

The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.

The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)

During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.

Continue Reading

Archive of Concurring Opinions Posts

Daniel Solove
Founder of TeachPrivacy

Concurring Opinions Archive Daniel Solove Posts

It is sad to say goodbye to Concurring Opinions, a law professor blog I co-founded in 2005.  The blog began when a group of us (Dave Hoffman, Kaimi Wenger, Nate Oman, and me) who were blogging at PrawfsBlawg decided we wanted more autonomy in blog governance, so we founded Concurring Opinions.   Over the years, we added many great permabloggers: Danielle Citron, Deven Desai, Frank Pasquale, Gerard Magliocca, Ronald K.L. Collins, Larry Cunningham, Naomi Cahn, Sarah Waldeck, Solangel Maldonado, Corey Yung, Jaya Ramji-Nogales, and others.

I have a few final thoughts about Concurring Opinions below, as well as a small piece of good news — I’ve archived most of my posts here on this special archive page. More on the archive later.

Continue Reading

Speaking at the FTC Hearing on Data Security on December 12

Daniel Solove
Founder of TeachPrivacy

12/13/18 Update: Here is the video from the session described below.

On Wednesday, December 12, 2018, I’ll be speaking at the Data Security hearing, part of the FTC Hearings on Competition and Consumer Protection in the 21st Century.  My panel begins at 1:00 PM:

The U.S. Approach to Consumer Data Security

Wednesday, December 12, 2018 from 1:00 PM to 2:30 PM

Participants:

Chris Calabrese
Center for Democracy & Technology

Daniel J. Solove
George Washington University Law School

David Thaw
University of Pittsburgh

Janis Kestenbaum
Perkins Coie LLP

Lisa J. Sotto
Hunton Andrews Kurth LLP

Moderator: James Cooper
Federal Trade Commission, Bureau of Consumer Protection

I previously spoke at an earlier hearing in this series back in September on a panel about consumer privacy protection (video / transcript).  The upcoming hearing focuses on data security.

Continue Reading

The Mail Machine Ate My Thumb Drive

Daniel Solove
Founder of TeachPrivacy

USB zDrive - Thumb DriveIn the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail.  The file contained Social Security information and other financial data.

Seriously?

Envelope

The envelope arrived without the USB drive. The firm contacted the post office.

What happened next is most bizarre.  Here’s an excerpt from the law firm’s letter notifying the state attorney general:

Continue Reading