RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Failing to Examine Risks Leads to Data Breach and Hefty Settlement Payout

Posted on: April 24th, 2017

By: Melissa Santalone

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced a $400,000 settlement with Metro Community Provider Network (MCPN), a Federally Qualified Health Center providing primary medical care and other health-related services in the Denver area, of an alleged HIPAA violation which resulted in a data breach due to a 2012 phishing scam. On January 27, 2012, MCPN filed a breach report with the OCR indicating that a hacker had used phishing emails to access employee email accounts, resulting in the compromise of electronic protected health information (ePHI) of 3,200 individuals. The OCR’s investigation of the breach revealed that MCPN had never conducted a security risk analysis of the vulnerabilities of the confidentiality, integrity, and availability of its ePHI prior to the discovery of the breach in violation of HIPAA. Further, once it did do a risk analysis, MCPN failed to do one sufficient to satisfy the HIPAA Security Rule. As part of the settlement, in addition to paying out a fine of $400,000, MCPN has agreed to implement a corrective action plan that requires it to conduct a comprehensive risk analysis and submit a written report to the OCR. Following the risk assessment, MCPN must also develop and enact an organization-wide risk management plan, including reviewing and revising its security policies and procedures and training materials.

This settlement highlights the importance of conducting regular, thorough risk analyses for all organizations subject to the requirements of HIPAA.  According to the OCR Guidance, which may be found here, a thorough risk analysis may involve:

  • Identification of the variety of ePHI an organization creates, collects, maintains, or transmits;
  • Identification of the location(s) where ePHI is stored;
  • Identification and documentation of threats to and vulnerabilities to ePHI;
  • Assessment of current security measures;
  • Assessment of the potential impact of the threat(s);
  • Assessment of the level of risk;
  • Documentation of the overall analysis.

While MCPN failed to do one at all until after it suffered a breach, the belief that doing one is enough is not uncommon. The OCR Guidance on this topic suggests periodic review. Significant changes in organizational structure or size or the implementation of new technology need to equate to updated risk assessments. If you need assistance with your HIPAA risk assessments, FMG’s Cyber Liability, Data Security & Privacy group is here to help.

Cyber Criminals Target FTP Servers of Healthcare Providers

Posted on: April 5th, 2017

By: Agne Krutules

The FBI has issued an alert warning medical care providers that cybercriminals are actively targeting File Transfer Protocol (“FTP”) servers of medical facilities. FTP is a common protocol used to transfer data between network hosts. The alert says that hackers are operating in an “anonymous” mode when connecting to FTP servers and are using their access to try to access protected health information (“PHI”) and personally identifiable information (“PII”) to harass, extort, and blackmail healthcare providers.

Although “white hat hackers” sometimes perform similar functions for research purposes in order to expose vulnerabilities and help organizations better protect themselves, these criminal “black hat hackers” are seeking to infiltrate medical providers’ servers in order to store malicious tools and/or launch cyberattacks.

In 2015, the University of Michigan conducted a study, which revealed that more than 1 million FTP servers were configured to allow anonymous access, which enabled users to authenticate with a common username without even entering a password or simply by submitting a generic password or e-mail address. It appears that the cybercriminals are now trying to exploit this vulnerability by targeting medical providers that have their FTP servers configured in this manner. According to the FBI alert, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”

To guard against this threat, the FBI recommends that all businesses, particularly medical and dental healthcare providers since they appear to be the focus of most recent attacks, request their IT professionals to check networks for FTP servers running in anonymous mode. If the business has a need for the server to be configured to run anonymously, no PHI and PII should be stored on the server. If protected information must be stored on the server, anonymous mode should be disabled, at a minimum. Other safeguards would include limiting access to known IP addresses (i.e. creating a white list), ensuring that data is encrypted while in storage and in transit, and monitoring all ingoing and outgoing requests and transfers in order to identify suspicious activity.

For more information, please contact Agne Krutules at [email protected].

Late, But Not Last, New Mexico Legislature Passes Data Breach Notification Law

Posted on: March 31st, 2017

By: Jonathan M. Romvary

On March 15, 2017, New Mexico’s Senate passed H.B. 15, the Data Breach Notification Act, making New Mexico the 48th state to pass a data breach notification law. The law, if signed by the governor, would provide New Mexico’s two million residents protections similar to those provided is many other states. Although they adopted the common definition for PII, New Mexico’s legislature declined to follow recent trends of expanding the definition of PII to include usernames or email addresses in combination with passwords and answers to security questions.

When a breach affecting New Mexico residents occurs, notification must be made no later than 30 days following discovery of the breach, except where “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.” In the event more than 1,000 New Mexico residents are affected, you must also provide notice to the office of New Mexico’s attorney general and the major consumer reporting agencies. If the breach involves credit card or debit card numbers, notice must also be provided to each merchant services provider to which the credit card or debit card number was transmitted within ten days of discovery of the breach.

Similar to other jurisdictions, the New Mexico legislature did not provide its citizens with a private right of action, rather it provides the state’s attorney general the right to bring legal actions on behalf of affected individuals. Courts may issue an injunction or award damages for actual losses including consequential financial losses. For knowingly or recklessly violating the Act, the Court may also impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.

New Mexico Governor Susana Martinez has until April 7, 2017 to sign the act into law. If signed into law, New Mexico would leave Alabama and South Dakota as the only states with no security breach laws, although the Alabama legislature has introduced a similar bill for consideration.

The passage of this new statute underscores the importance of staying up-to-date with your state’s data breach statutes and having a data breach response plan in place. The Cyber, Data Security, and Privacy practice group attorneys are here to assist you in navigating the intricacies of each states’ data protection statutes.

Please contact Jonathan Romvary at [email protected] if you have any questions regarding how this law or any state’s data breach statutes may affect you.


Internet of Things Device Manufacturer Settles Class Action Lawsuit

Posted on: March 20th, 2017

IoTBy: Matthew N. Foree

Recently, the United States District Court for the Northern District of Illinois preliminarily approved a class action settlement involving the manufacturer of an Internet of Things (“IoT”) device. In this case, two plaintiffs, whose names were withheld “due to the sensitive subject matter of this case,” filed a lawsuit against Standard Innovation Corporation (“Standard Innovation” or “Defendant”), a “sensual lifestyle products” company that sells a “high end vibrator called the We-Vibe.” As stated in the complaint, to fully operate the We-Vibe, users download Defendant’s “We-Connect” application and install it on their smart phones. With this app, users can “pair” their smart phone to We-Vibe, allowing them and others remote control over the device’s settings and features. As alleged in the complaint, the customers were unaware that Defendant designed the We-Connect app to collect and record data regarding consumers’ personal use of the device, including the date and time and the settings of the device, and then to transmit such data usage with the user’s personal email address to its servers in Canada. Based on these allegations, Plaintiffs sought an injunction to prohibit Defendant from monitoring, collecting and transmitting the information, as well as damages from the invasion of privacy and from the purchase of the device, including return of the purchase price and disgorgement of profits. Specifically, Plaintiff raised claims of violation of the Wiretap Act (18 U.S.C. § 2510), intrusion upon seclusion, and unjust enrichment.

On March 9, 2017, Plaintiffs’ filed the class action settlement agreement as part of Plaintiffs’ motion for preliminary approval of the settlement. Under the agreement, the parties agreed to divide the class into two separate classes, one for individuals who downloaded the We-Connect application and used it to control a We-Vibe brand product before September 26, 2016 (the “App Class”), and a second class including individuals who purchased a Bluetooth enabled We-Vibe brand product before September 26, 2016 (the “Purchaser Class”). Per the agreement, the parties agreed on a settlement fund for the App Class in the amount of $4 million CAD and a separate settlement fund for the Purchaser Class in the amount of $1 million CAD. Members of the App Class can receive up to $199.00 USD, while members of the Purchaser Class can receive up to $10,000 USD.

On March 14, 2017, the court granted an order preliminarily approving the class action settlement as defined by the parties. Among other things, the Order certified the proposed Purchaser Class and the App Class for settlement purposes only. It also approved the appointment of the Plaintiffs as class representatives and set the schedule for Notice to the Class and other deadlines. Significantly, the settlement agreement requires Defendant to remove and not include a registration process, and not collect email addresses, through the We-Connect application. It also requires Defendant to update its privacy notice to specifically disclose its data collection practices concerning the application. Additionally, the Defendant must, subject to any legal requirements, purge the data collected from its users.

We have reported previously about the proliferation of issues related to IoT devices, including the development of guidance for securing such devices. The security of IoT devices and the unauthorized use of information generated from them are topics ripe for litigation. The We-Vibe case, which may be the first IoT class action settlement, provides an early glimpse at theories of litigation involving IoT devices and, specifically, allegations of use of private consumer data without knowledge or consent. This case could create a framework for plaintiffs’ attorneys to use in bringing other IoT device cases, including class action matters. It remains to be seen whether actions such as this ultimately will lead to regulation in the IoT space and, if so, how long it will take to enact such regulation.

Please contact Matt Foree if you have any questions regarding the decision, or wish to obtain copies of the documents in this case. In the meantime, we will continue to provide updates regarding IoT litigation and other developments.

MLB Approves Wearable Biometric Monitor During Games – What Are The Risks?

Posted on: March 16th, 2017

baseballBy: Amy C. Bender

Major League Baseball has announced it will allow players to wear a WHOOP Strap during games beginning in the 2017 season. The device gathers and analyzes levels of strain, sleep, and recovery by measuring factors such as heart rate, ambient temperature, and levels of motion. It specifically is targeted to athletes and aims to optimize performance and avoid overtraining and injury, such as by determining how much sleep athletes need to perform their best and when it’s time to pull a pitcher from the mound. The biometric data will be available to the player and his or her team as well as – if the player and team consent – the public.  The device has various privacy settings that provide the player control over how much and which data to share.

Importantly, from a data privacy perspective, certain questions naturally arise from use of the device. How much of the data will players and teams want and need to share with sponsors, fans, and competitors? Will – and should – players be able to withhold any of their biometric information from their own team? Can the device be hacked? While most information stored on computers or other electronic devices is subject to some type of cyber attack, data on pro athletes obviously would be of heightened public interest. If such information got into in the wrong hands, it could be used to damage a player’s present and future career prospects and the financial health of the player and the team.

It remains to be seen how prolific the device will become in baseball and other pro sports, whether it improves players’ performance, and if and how data stored in the device is vulnerable to cyber attacks. In the meantime, it should make sports more interesting to watch.

For more information contact Amy Bender at [email protected].