Archive for the ‘Privacy Incidents’ Category
Tuesday, April 17th, 2012
Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Tags: audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags: accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Wednesday, February 2nd, 2011
I’ve been getting a lot more questions about HIPAA and HITECH lately from folks I’ve never met, but who have concerns about the security and privacy of their health information (“protected health information” or “PHI” as referenced within HIPAA/HITECH), businesses that are trying to understand how to protect PHI according to the regulatory requirements, and a growing number who express frustration with the unsecure ways in which clients, customers, patients and business partners are sharing information with them. There just are not enough hours in the day to answer them all, but I decided I’d start sharing some of the questions, and my corresponding answers, that seem to be topics that a wide range of readers may be interested in.
I was recently contacted by someone who had a question about a recent HIPAA complaint against Rowan Regional Medical Center (more…)
Tags: awareness, healthcare, HHS, HIPAA, HITECH, hospital, Information Security, insider threat, OCR, PHI, privacy, Rebecca Herold, Rowan Regional Medical Center, training
Posted in healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance, Privacy Incidents, Training & awareness | 2 Comments »
Thursday, September 10th, 2009
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy. Here is the information about the event…
(more…)
Tags: awareness and training, breach law, breach notification, breach response, encryption, HIPAA, HITECH Act, Information Security, IT compliance, IT training, law, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training
Posted in Information Security, Laws & Regulations, Privacy Incidents | No Comments »
Wednesday, July 1st, 2009
Tags: awareness and training, identity fraud, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy breach, privacy training, risk management, security training
Posted in Privacy Incidents | No Comments »
Wednesday, July 1st, 2009
Tags: awareness and training, identity fraud, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy breach, privacy training, risk management, security training
Posted in Privacy Incidents | No Comments »
Wednesday, June 10th, 2009
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet…
(more…)
Tags: awareness and training, HIPAA, Information Security, insider threat, IT compliance, IT training, patient privacy, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
Wednesday, June 3rd, 2009
I received a provacative question on Twitter last week from idExperts, “If you had a wish list of rights for identity theft victims, what would that be?”
Sounds like a great blog topic! 
Here are my thoughts…
(more…)
Tags: awareness and training, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Privacy Incidents | 1 Comment »
Wednesday, May 27th, 2009
I got the June 1 issue of Newsweek today, and something that’s bothered me ever since I first heard about it was on page 4…
(more…)
Tags: awareness and training, Catsouras, Information Security, insider threat, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Privacy Incidents, Training & awareness | No Comments »
Monday, April 6th, 2009
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach…
(more…)
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy awareness, privacy breach, privacy training, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
