Top Stories
AHA Tells HHS to 'Amend or Suspend' Web Tracking Guidance
The AHA is urging the Department of Health and Human Services to immediately amend or rescind its online tracking guidance issued in December aimed at protecting reproductive healthcare and other sensitive health information, arguing that regulators "erred" by treating all IP addresses collected by these technologies as protected health information under HIPAA .
Meta Fined $1.3 Billion for Violating E.U. Data Privacy Rules - The New York Times
Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to the United States, in a major ruling against the social media company for violating European Union data protection rules.
Breaches
Data Breach at Debt Collection Agency Impacts Multiple Healthcare Providers
R&B Corporation of Virginia, also known as Credit Control Corporation (CCC), reported a data breach to the Maine Attorney General’s Office that impacted more than 286,000 individuals. CCC is a business associate to a variety of healthcare organizations.
2M Individuals Impacted by Healthcare Data Breach at Apria Healthcare
Nearly 2 million patients were notified by Apria Healthcare about a healthcare data breach that dates back to April 2019, during which hackers infiltrated their computer systems and accessed personal health information (PHI) over a series of months
Cyberattack of Amazon's PillPack compromised user health info
An unauthorized person used customer emails and passwords to log into PillPack customer accounts, over 3,000 of which contained prescription information. Social Security numbers and payment information were not involved in the attack, according to the online pharmacy.
NY AG Fines Practice Management Firm $550K in 2020 Breach
Amherst, New York-based Professional Business Systems Inc., which does business as Practicefirst Medical Management Solutions, in January 2019 failed to apply a software update from its firewall provider to patch a critical vulnerability, said New York Attorney General Letitia James in a statement Tuesday.
CommonSpirit Ups Cost Estimate on Its 2022 Ransomware Breach
Hospital chain CommonSpirit upped its estimate of the financial toll incurred by a ransomware incident last fall that disrupted patient services at some of its facilities for weeks, saying the incident cost it an estimated $160 million.
Security
Cybersecurity Chiefs Navigate AI Risks and Potential Rewards - WSJ
Security chiefs say the benefits of artificial intelligence are clear, but that the promises and risks of early generative AI are overblown.
KY Health System Suffers Cyber Incident
Kentucky-based Norton Healthcare is responding to and recovering from a cyber incident that began on May 9 and led to longer phone wait times and delays in network-related capabilities. The health system’s initial notice stated that its information services team noticed suspicious network activity on May 9 and also received a faxed communication containing demands and threats.
Privacy
New options for anonymization ahead?
The question of what constitutes "personal data" touches on the foundation of data protection law, as it determines whether or not the GDPR and other data protection laws apply. Notwithstanding, the circumstances in which a natural person is "identifiable," and personal data can therefore be processed, are far from clear. In particular, the concept of anonymization remained clouded for decades, with EU data protection supervisory authorities and national courts holding anonymization is virtually impossible as long as someone, even a third party, can identify the respective person (referred to as the "absolute" concept of identifiability).
Europe
Meta fined GDPR-record 1.2 billion euros in data transfer case
The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compliance "by ceasing the unlawful processing, including storage, in the U.S. of personal data" of EU and European Economic Area users within six months of the DPC's notification to Meta.
Misc
Unlawful data processing claims: An insurance perspective
Privacy-related claims are on the rise, and they have focused on the wrongful collection of personal data. In turn, insurance carriers scrutinize companies' security practices and assess the types of data they collect and how it is used. Insurance carriers increasingly require supplemental applications to specifically address how policyholders collect personal data.