Top Stories
HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking | HHS.gov
The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.
Banner Health Resolution Agreement and Corrective Action Plan | HHS.gov
Banner Health Resolution Agreement and Corrective Action Plan
Breaches
US data breaches in 2022 just shy of all-time high set in 2021 | SC Media
The Identity Theft Resource Center’s annual data breach report shows 1,802 data compromises last year that affected about 422 million victims.
UCHealth, UCLA Health Report Healthcare Data Breaches
The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.
Security
OpenEMR Flaws Could Allow Attackers to Steal Data, More
Security researchers at Sonar, a company that touts itself as a platform for "clean code," say they detected a trio of vulnerabilities that attackers could chain together to execute code on servers running versions of OpenEMR 7.0.0.
CISA to Set Up New Office for Supply Chain Security
U.S. federal authorities are establishing an office to tackle supply chain security issues and help the industry and partners put updated federal guidance and policies into practice.
Microsoft Defender can now isolate compromised Linux endpoints
Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint (MDE) on onboarded Linux devices.
Privacy
FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
Europe
Big changes coming for GDPR enforcement on Big Tech in Europe? | TechCrunch
In what looks like a meaningful — and long overdue — reforming step, the European Commission has committed to dial up its monitoring of how data protection authorities at the EU Member State level enforce the bloc’s flagship data protection rules — committing to regular checks on “large scale” General Data Protection Regulation (GDPR) cases.
EU Tightens Oversight of Data-Privacy Regulators to Speed Up Decisions - WSJ
Regulators that handle large-scale cases affecting people in more than one European Union country will need to report on their progress every other month to the European Commission, the EU’s executive arm. The commission disclosed the new procedure in response to a complaint alleging that the commission itself had violated EU law by not properly overseeing the Irish privacy regulator.
Misc
McDonald’s Ruling Shifts Oversight Liability Focus to Corporate Officers - WSJ
A judge’s decision to allow a shareholder lawsuit against a former McDonald’s Corp. human resources chief has put corporate executives on alert that they can be held personally liable for failing to oversee the biggest risks confronted by their companies. The ruling follows a series of Delaware Court of Chancery decisions that have set off alarm bells in corporate boardrooms by making clear that directors can be sued for serious compliance failures. The latest decision by Vice Chancellor J. Travis Laster clarifies that the legal scrutiny doesn’t stop with the board. Corporate officers can also be held to account for failing to do their part, the judge ruled.