Privacy & Security
On September 25th, a former Okaloosa County, Florida paramedic, Christopher Wimmer, was sentenced to six months jail time and three years’ probation for taking “selfies” with incapacitated victims in ambulances last year and sending them to a co-worker. He and his co-worker, Kaylee Renee Dubois, were engaged in a “selfie war” with each other and snapped images and videos of patients in ambulances who were unconscious, sedated, intoxicated, or incapacitated. In total, 101 photos, 64 videos, and 41 patients were photographed or recorded during the so-called war, and a mere three patients consented to photographs being taken of them. Employees’ missteps with the privacy rights of patients have a negative lasting effect on their employer, their own career, and their patients.
According to data from HHS’ Office of Civil Rights (OCR), healthcare data breaches in 2017 are set to outpace those from 2016. Security experts have determined this increase is due to two factors: getting entry into a system has become easier, and organizations are now more inclined to report breaches. Yet despite the increase in data breaches and the costs of settling with HHS OCR, a majority of healthcare organizations are still only spending 1-6% of their budgets on cybersecurity measures.
Though the rain has stopped falling, Houston is still dealing with the aftermath of Hurricane Harvey, one of the largest and most destructive rainfall events on record. Healthcare providers in particular find themselves struggling to keep up with the various health problems caused by the flooding itself, on top of getting life-sustaining care to individuals with chronic or preexisting conditions. Crises like Harvey create serious problems for the delivery of care, but also for regulating it—circumstances are so uniquely devastating that standards can feel like barriers to necessary medical attention. And when family and friends are desperate to know if their loved one is out of danger, even the right of privacy seems negligible.
However, natural disasters and emergency events shouldn’t be used as an excuse to regulate away protections individuals depend on, such as the privacy and confidentiality of their personal information. Regulators must be careful when determining how to respond in a crisis—overreaching for the sake of bringing relief or under-regulating for flexibility can leave the public high and dry when the floodwaters recede.
The internet of things (IoT) holds promise for new ways to interact with and leverage technology; however, ever-expanding connectivity brings increased vulnerability. Addressing security and privacy issues is necessary for the continued growth of the IoT—and, as the U.S. Federal Trade Commission’s case against D-Link Corporation demonstrates, one of vital interest to regulatory lawmaking bodies as well.
Global music technology giant and headphone maker, Bose Corporation, has been hit with a class-action lawsuit alleging that Bose collected the listening preferences of the users of its wireless headphones and its companion application without their knowledge and sold that information to third parties. Counsel representing the class filed the complaint in federal court in Chicago, Illinois alleging violations of the Electronic Communications Privacy Act (“ECPA”) and the Illinois-specific Eavesdropping Statute.
The 2016 National Basketball Association Champions, the Golden State Warriors, have been accused of wiretapping and listening in to fans’ conversations without consent or knowledge in violation of the Electronic Communications Privacy Act (“ECPA”), also referred to as the Wiretap Act. A new amended complaint alleges the warriors recorded fans’ oral dialogue via a phone application typically used to keep fans up-to-date on team scores, schedules, news, and statistics.
In an unprecedented act, the Office for Civil Rights (OCR) entered into a settlement agreement with Presence Health Network based on the healthcare system’s failure to timely report a breach of unsecured protected health information (PHI). Under the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) a covered entity must notify affected individuals, the Department of Health and Human Services (HHS), and the media for breaches affecting 500 people or more. Presence Health will pay $475,000 and implement a corrective action plan (CAP) to address misunderstandings in workforce member roles and responsibilities relating to the notification process.
Christine Bulgozdi Associate Editor Loyola University Chicago School of Law, JD 2018 Back in November, the Department of Human Services (HHS) Office of Civil Rights (OCR) released an alert stating that a phishing scam masquerading as an OCR Audit had been spotted being sent out to Health Information Portability and Accountability Act (HIPAA) covered …
Alexander Thompson Associate Editor Loyola University Chicago School of Law, JD 2018 On February 16, 2017, the HHS Office of Civil Rights Acting Director, Robinsue Frohboese, announced the second largest HIPAA settlement fine ever. At $5.50 million, Memorial Healthcare System’s fine was just behind the $5.55 million given to Advocate Healthcare in 2016. Memorial …
Mary H. Carlson Associate Editor Loyola University Chicago School of Law, JD 2018 Social media has emerged as a preferred platform for the expression of personal opinions, a means of gathering new information, and as an important networking tool. However, health care profs subject themselves to particular dangers health care professionals (HCPs) subject themselves …