Skip to main content

Author: Crown Information Managment

Florida Raises the Bar on Data Privacy

Security and breach notification with passage of new law… On June 20, 2014, the “Florida Information Protection Act of 2014” (FIPA) was signed into law by Florida Governor Rick Scott, after it received unanimous support by the legislature. FIPA will take effect on July 1, 2014 and will replace Florida’s existing data breach notification law. FIPA dramatically increases the breadth of Florida’s data breach notification law.

  • Shorter timeline to notify
  • Expanded definition of “Personal Information”
  • FIPA applies to “covered entities” – healthcare or not
  • Mandatory notice to Florida Attorney General and production of proactive measures
  • Proactive measures are now required
  • Federal regulatory exemption
  • Third-party vendor notification
  • Unfair and deceptive trade practices Statute may be used

 

If HIPAA Wasn’t Enough…

Federal Trade Commission Begins Enforcement . . .
The Federal trade Commission, recently announced that it will now pursue cases involving the failure to maintain the confidentiality of sensitive information about an individual when a promise to the consumer (or patient) has been made by the provider of services (such as a healthcare entity) through the Notice of Privacy Practices (NPP) or other privacy policies posted on a website.

Two recent examples of the FTCs enforcement actions were recently made public. Both present different outcomes than the penalties set from the Department of Health and Human Services’ Office for Civil Rights in its settlements tied to HIPAA enforcement.

The First is Atlanta-based LabMD. As a result of this FTC enforcement action, LabMD announced that it is closing down operations, citing the impact the investigation has had on the company. LabMD suffered a breach of patient information in 2010 when a document was inadvertently leaked from its peer-to-peer network and found on a file sharing network. This prompted the FTC to open its investigation. After two years of investigation, the FTC filed a complaint that alleged LabMD had breached the information of nearly 10,000 consumers. The FTC proposed that the company implement a comprehensive security program and submit to biannual assessments by an independent third party for next 20 years.

The second recent enforcement action involved California-based GMR Transcription, which provides transcription services to healthcare organizations. The complaint alleged that due to inadequate security around how files created by the transcriptionists were handled by GMR’s service provider, they were indexed by a major Internet search engine and made available to anyone using that search engine. The GMR breach involved sensitive information, including driver’s license numbers, tax information, medical histories, notes from children’s medical examinations, medications and psychiatric notes.

In both cases, the FTC found that the companies involved failed to provide reasonable and appropriate security for personal information on their computer networks and that this failure could lead to consumer identity theft and unauthorized disclosure of private medical information. The commission further asserted that this represented an unfair act or practice under the FTC Act. And the commission stressed that HIPAA or other statutes do not constitute a shield to protect entities from the FTC Act.

In short, what this means is that the FTC intends, to fully exercise its responsibilities when it deems it appropriate and/or necessary to protect consumers. And it means that healthcare entities have one more regulatory agency overseeing their activities. Enforcement just got tougher, and, as a result, security incidents could be far more costly.

Man Finds Personal Info in Box from Walmart

Instead of packing peanuts, poorly shredded bank statements & emails from about fifty…
Ron Myers, a Colorado man discovered some very personal information inside a package he ordered from Walmart.com. Instead of being stuffed with packing peanuts, the box was stuffed with shredded bank statements and emails from about fifty people, including organizations like Doctors Without Borders and the NCAA.

The documents were shredded horizontally along what looked like lines in an Excel spreadsheet. “We have stakeholder reports, bank statements, and all kinds of personal information. It was like the blades and the lines on the spreadsheet lined up perfectly to cut each and every one of them, perfectly legible the whole way through. We have about forty or fifty people’s full information,”

“In the wrong hands this could have been bad,” Ron Meyers “When we opened the box we found everybody’s personal information. It looks like it went through a shredder but they shredded it wrong,” Meyers said.

Meyers says he contacted Walmart and got the runaround, so he passed the information to one of the victims: the co-chair of Doctors Without Borders of Utah. Though Meyers is doing the right thing, it leaves him wondering what would have happened had the box fallen into the wrong hands. “This would be perfect for somebody who is into identity theft. They could have gotten into email accounts, bank accounts,” Meyers said. “I’d be a little upset; I’d want to know how my personal information ended up in a box in Colorado Springs if I lived in Utah.”