Telehealth software vendor sued for sharing patients' medical info

(Apr 24, 2017) A class action lawsuit has been filed against telehealth software vendor MDLive, alleging the company violated consumers' privacy by sharing confidential medical information with a third party, HealthcareInfoSecurity reports. The complaint states MDLive programmed its app without user permission to take screenshots of consumers' sensitive health care information, then send the data to TestFairy, a tech company based in Israel designed to test mobile apps for iOS and Android. The case "is the kin... Read More

Health records down to $1 each on deep web

(Apr 24, 2017) Health records, sometimes with complete patient information, or "fullz" in hacker parlance, are flooding the deep web, leading to a drop in their value, CSO reports. By way of example, the article explores the hack of Baltimore-based substance abuse treatment facility Man Alive, which suffered a data breach last August. Quickly, their records, including dates of admissions, whether patients are on methadone, their doctors, and dosing information, appeared on the deep web. The hack was relatively... Read More

Health care provider pays $31,000 to HHS in HIPAA settlement

(Apr 21, 2017) The Department of Health and Human Services has announced the Center for Children's Digestive Health has paid the agency $31,000 to settle potential HIPAA violations and agreed to put in place a corrective action plan. The small, for-profit health care provider did not have a Business Associate Agreement in place with a vendor even though it was disclosing personal health information beginning in 2003. As of Oct. 2015, neither party could produce a signed BAA. The HHS press release also included... Read More

NY Supreme Court rules organ donor records not liable to HIPAA

(Apr 21, 2017) The New York Supreme Court has ruled patient records from the New York Organ Donor Network are not liable to HIPAA regulations, HealthITSecurity reports. A former official from the network had claimed they were because four patients had not been declared legally dead before their organs were harvested. Plaintiff Patrick McMahon also argued he had been fired for whistleblowing on the incidents. Manhattan Supreme Court Justice Arlene Bluth ruled the network is not a HIPAA covered entity and, hence... Read More

Va. updates breach notification law for payroll data

(Apr 21, 2017) Virginia recently updated its data breach notification law to require notification when payroll data is compromised, HealthITSecurity reports. The amendment applies to employers or payroll service providers when there is unauthorized access and personal information is acquired, including unencrypted data containing taxpayer identification numbers in combination with income tax withholding information. The amendment also stated: "Good faith acquisition of personal information by an employee or ag... Read More

MRI list leak prompts Manitoba's ombudsman to investigate

(Apr 21, 2017) Manitoba's ombudsman has launched an investigation after the names of high-profile individuals, who were moved to the top of an MRI-waiting list, were leaked to the media, Toronto Metro reports. Ombudsman Charlene Paquin said she was "extremely concerned" that the disclosure was a breach of the Personal Health Information Act. "I cannot stress enough how important it is for all trustees of personal health information to remember that they are in possession of some of the most sensitive informati... Read More

Google study seeks 10,000 volunteers to share medical data

(Apr 20, 2017) Google's health spinout, Verily, is looking for 10,000 American volunteers to share intimate and sensitive information about their bodies in an attempt to help predict heart disease and cancer, MIT Technology Review reports. Called the Baseline Project, the multi-year study could cost upwards of $100 million. Volunteers will be asked to submit to an extensive amount of tests and physical monitoring, including a heart monitor to follow pulse and movements in real time. They will also get x-ray an... Read More

HHS OIG warns of patient data privacy phone scam

(Apr 19, 2017) The U.S. Department of Health and Human Services Office of the Inspector General has warned of a phone scam in which adversaries spoofed the OIG's hotline number for reporting fraud, HealthITSecurity reports. Individuals were contacted by entities claiming to be the HHS OIG, enticing them to confirm their personal information and, in some cases, wire money to the agency. HHS Assistant Inspector General for Investigations Thomas O'Donnell said thousands of such calls were made across the country.... Read More

On the need for better medical device security in health care privacy plans

(Apr 14, 2017) The privacy and security issues surrounding the deployment and use of internet-of-things devices is nothing new. Late last year, the concern grew as distributed denial of service attacks using insecure IoT devices increased dramatically when the Mirai botnet took down Brian Krebs' website and Dyn's networks, which affected countless websites in the U.S. But for such attacks, "No place should this be more of a concern than in the modern hospital," writes Interfaith Medical Center Director of Infr... Read More

Healthcare privacy plans need to account for medical device security

(Apr 14, 2017) The world is becoming increasingly interconnected with networked enabled devices becoming pervasive with the explosive growth of the internet of things. This increased level of interconnectedness provides the potential for enhancements in convenience and utility, but at the same time it is also clear that such a level of interconnectedness comes with an increased attack surface that can be used to compromise devices.  Once compromised, devices can be used as a backdoor into your organization as... Read More