Top Stories
HITRUST CSF v11 Available Now with New, Easier e1 Certification
The new HITRUST e1 Certification enables organizations to reliably demonstrate that they have achieved a “minimum bar” of basic cybersecurity hygiene. The e1 delivers a lower level of assurance than HITRUST i1 and r2 Assessments, and requires far less effort to prepare for and assess, but provides an appropriate, suitable assessment for organizations of a lower risk profile and the quality and rely-ability for which HITRUST Validated Assessments and deliverables are known. Like the i1 and r2, a Validated e1 Assessment can result in a one-year certification and requires an external assessor.
Breaches
3 Specialty Practices Report Healthcare Data Breaches
A Texas home healthcare provider, a Florida behavioral health services organization, and a New York provider of autism services all disclosed healthcare data breaches recently.
Third-party administrator hack leads to theft of patient data for over 251K | SC Media
Austin, Texas-based Bay Bridge Administrators, a third-party administrator of insurance products, recently began notifying more than 251,000 patients that their data was stolen after a network hack in September 2022.
LastPass breach exposes how US breach notification laws can leave consumers in the lurch
The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime.
Australian Law Firms Cooperate in Medibank Litigation
After the breach comes the litigation: Three Australian class action law firms say they've teamed up against private health insurer Medibank on behalf of the up to 9.7 million individuals affected by the firm's customer data breach at the hands of ransomware hackers.
Security
Attacks on 2 Specialty Care Providers Affect Nearly 600,000
Two specialty medical care firms - a Texas-based home healthcare agency and a Pennsylvania-based women's and family health clinic - are reporting separate ransomware breaches that in total affect nearly 600,000 individuals.
Privacy
European Privacy Regulators Step Up Scrutiny of Business Data Practices - WSJ
European privacy regulators are reaching beyond investigations into run-of-the-mill violations of the General Data Protection Regulation, such as data breaches, and eyeing companies’ business models, scrutinizing their contracts and considering more nuanced aspects of how the nearly five-year-old law applies.
Europe
How the Netherlands Is Taming Big Tech
The New York Times reports on major changes at Big Tech companies sparked by Dutch privacy regulators' use of the EU General Data Protection Regulation.
Privacy Fines: GDPR Sanctions Last Year Surged to $3 Billion
The cost of violating Europe's General Data Protection Regulation skyrocketed last year, and Big Tech companies took the brunt of the 2.9 billion euros in fines levied by regulatory agencies.
Misc
Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies - WSJ
A combination of market forces and investor pressure is forcing even the youngest companies to beef up their cybersecurity, as would-be acquirers step up their scrutiny of digital weaknesses.
Health Entities Should Vet Risks of ChatGPT Use
Clinicians should think twice about using artificial intelligence tools as productivity boosters, healthcare attorneys warned after a Florida doctor publicized on TikTok how he had used ChatGPT to write a letter to an insurer arguing for patient coverage.