HITRUST and Health Data Protection: A Weekly Digest

Top Stories

HHS: Healthcare continues to struggle with HIPAA compliance, IT security | SC Media

Office of Civil Rights received 34,077 new complaints of possible HIPAA and HITECH violations in 2021, a 25% increase from 2020, while funding constraints limit enforcement.

New HHS cyber, enforcement arms to tackle 69% rise in HIPAA complaints | SC Media

HHS Office of Civil Rights stands up new divisions to combat staffing constraints and HIPAA complaints after report details funding impact on enforcement.

After GoAnywhere MFT hack, HHS again warns of Clop ransomware threat | SC Media

The Clop ransomware group “unabashedly and almost exclusively targets the healthcare sector,” HHS warns provider organizations following exploit of GoAnywhere MFT vulnerability.

Highlights from the New U.S. Cybersecurity Strategy – Krebs on Security

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.

Breaches

DOJ Finalizes FTC Settlement With GoodRx Over Alleged Health Breach Notification Rule Violations

Following allegations of Health Breach Notification Rule violations, GoodRx agreed to pay a civil monetary penalty of $1.5 million and notify users that their information was disclosed, the DOJ announced.

Revenue Cycle Management Company Reports Healthcare Data Breach Impacting 250K

Revenue cycle management company Reventics recently notified 250,918 individuals of a healthcare data breach that impacted some patient information. Reventics detected a cyber intruder within its systems on December 15, 2022 and immediately began investigating the incident.

Hackers Leak LA Kids’ Mental Health Records, Taunt Victims - Bloomberg

Kids’ medical and mental health records, in addition to 2,000 student assessments, driver’s license numbers and Social Security numbers, were published after a breach last year at the Los Angeles Unified School District, said Jack Kelanic, senior IT infrastructure administrator. The district is the second-largest in the nation, with more than 600,000 pupils in 1,000 schools.

Security

Healthcare Most Hit by Ransomware Last Year, FBI Finds

Healthcare and public health bore the brunt of ransomware attacks on critical infrastructure sectors launched during the last year, says the FBI.

Privacy

Biometric-Privacy Rulings in Illinois Expand Potential Liability for Companies - WSJ

A pair of court rulings have expanded the scope of an Illinois biometric-privacy law that already was one of the toughest in the U.S., increasing potential civil liability for companies that collect personal data through facial-recognition technology, retinal scans or fingerprinting.

FTC moves to ban BetterHelp from sharing mental health data for ad targeting | Engadget

The Federal Trade Commission has moved to block online counseling company BetterHelp from sharing health data, including mental health information, with the likes of Facebook and Snapchat for advertising. As part of a proposed order, BetterHelp has agreed to pay $7.8 million to consumers to settle charges that it shared sensitive data for advertising purposes after promising to keep the information private.

'Neurorights' and the next flashpoint of medical privacy

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections.

Europe

EDPB welcomes ‘improvements’ to EU-US adequacy decision, concerns remain

The European Data Protection Board released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework, welcoming what it called “substantial improvements” while expressing concern and requesting clarification on several points.

Issue 40 March 3rd 2023