Top Stories
As we await the new Netflix series on cybercrime featuring luminaries including Brian Krebs, a few other stories caught our attention this week.
CISA issued vulnerability alerts for several medical device products produced by Illumina and Becton, Dickinson & Co.. Patches for Illumina genetic testing and sequencing devices should be installed immediately.
On the privacy front, in the US, there has finally been meaningful progress on a national privacy bill. Leaders of key House and Senate committees seem to have compromised in the draft bill. The proposal has three thresholds for covered entities based on the size of a given business. There are provisions for enhanced children's protections, limits on targeted advertising, preemption over state laws, and a limited private right of action. The draft also proposes a chief privacy officer requirement.
Finally, in Europe, the European Commission announced the European Health Data Space. The EHDS is meant to empower people to control and utilize their health data in their home country or in other Member States, foster a genuine single market for digital health services and products, and offer a consistent, trustworthy, and efficient framework to use health data for research, innovation, policy-making and regulatory activities, while ensuring full compliance with the EU's high data protection standards.
Breaches
Shields Health Care Group notifies 2,000,000 patients after hack
The incident was reported to HHS in May as impacting 2,000,000 patients but has only been added to HHS’s public breach tool now.
Solara Medical Supplies to Pay $5 Million in Data Breach Deal
The case is In Re: Solara Med. Supplies Data Breach Litig., S.D. Cal., No. 3:19-cv-02284, 4/20/22.
Security
After Hive cyberattack, Partnership HealthPlan confirms data theft affecting 855K
This week’s breach roundup includes several hacks and a massive theft of paper records and is led by a followup into the March cyberattack and network outage incurred by Partnership HealthPlan of California in March.
Emotet Reemerges as Prominent Cyber Threat to Healthcare
Emotet is an advanced banking trojan frequently used in healthcare cyberattacks.
Feds Issue Alerts for Several Medical Device Security Flaws
CISA on Thursday issued about five vulnerabilities identified by an independent research firm in the Local Run Manager software contained in several Illumina in-vitro diagnostic, or IVD, devices and in research-use-only instruments, or RUOs.
Novartis says no sensitive data was compromised in cyberattack
Industrial Spy is a hacking group that began selling data allegedly stolen from Novartis on their Tor extortion marketplace for $500,000 in bitcoins. They claim that the data is related to RNA and DNA-based drug technology and tests from Novartis and were stolen "directly from the laboratory environment of the manufacturing plant."
Privacy
Attorney General Bonta Emphasizes Health Apps' Legal Obligation to Protect Reproductive Health Information | State of California - Department of Justice - Office of the Attorney General
The Confidentiality of Medical Information Act (CMIA) applies to mobile apps that are designed to store medical information, including some fertility trackers, and establishes privacy protections that go beyond federal law.
MongoDB Debuts ‘Queryable Encryption’ to Fight Hacks and Leaks | WIRED
On Tuesday, MongoDB is announcing “Queryable Encryption,” a feature that will allow database users to search their data while it remains encrypted. Queryable Encryption is built to work with existing databases rather than requiring users to re-architect their systems.
US lawmakers unveil bipartisan American Data Privacy and Protection Act
The proposal has three thresholds for covered entities based on the size of a given business. There are provisions for enhanced children's protections, limits on targeted advertising, preemption over facets of state laws, and a limited private right of action. The draft also proposes a chief privacy officer requirement and other organizational requirements related to data minimization and scaled-back data practices.