Hacking and third-party business associate incidents were the crux of the largest health data breaches reported to federal regulators in 2022, foreshadowing the top risks and threats that will likely plague healthcare entities and their vendors in the new year, as well.
Many of the major health data breaches being reported to regulators reflect a variety of poor practices by business associates, including retaining sensitive patient information for much longer than necessary, says Kate Borten, president of The Marblehead Group.
A Kansas-based vendor is notifying nearly 250,000 patients that their payment card and other personal information may have been compromised in a hacking incident that dates back to 2019 and involves its colonoscopy prep kit online retail business.
Potential regulatory policy moves by the federal government could help healthcare entities dedicate more resources to bolstering their cybersecurity efforts, says Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council.
Cybercriminals are becoming bolder in their attacks on healthcare entities and in how they're compromising patient data - and that's a very worrisome trend, says Nicholas Heesters of the Department of Health and Human Services' Office for Civil Rights.
Federal regulators have kicked off the New Year with a $16,000 HIPAA penalty against an Atlanta-based medical testing laboratory for failure to provide timely access to a patient records request. The settlement is the 43rd HHS enforcement action in these types of disputes.
In the latest legal volley between the Federal Trade Commission and Kochava, the FTC is asking a federal court to dismiss a "preemptive" lawsuit filed by the data broker last summer, weeks before the regulatory agency filed an enforcement action against the firm alleging data privacy violations.
A Utah-based senior healthcare firm paid a $200,000 settlement to two state attorneys general after it delayed reporting a 2019 data breach by 10 months. The breach affected 14,500 individuals and included Social Security numbers and medical treatment information.
The prospect of class action lawsuits being filed in the aftermath of a major data breach often has more impact on breached healthcare organizations than the potential for fines and enforcement actions by government regulators, says attorney Jeff Westerman of Westerman Law Corp.
A federal judge has denied granting a preliminary injunction against Meta to stop the firm's Pixel tracking code in healthcare websites from collecting and disseminating patient information for advertising. But the judge says he could change his mind as more details about patient privacy emerge.
A resurrected proposal to enhance medical device security is nestled within the 4,155-page, $1.7 trillion omnibus spending bill that the Senate passed Thursday and sent to the House for approval. Medical device makers would be required to meet cybersecurity standards and disclose vulnerabilities.
An Oklahoma-based provider of administrative and technology services to healthcare organizations is notifying more than 271,000 individuals that their personal information may have been compromised in a hacking incident involving a third-party data storage vendor.
A Florida primary care practice will pay a $20,000 financial penalty and implement a corrective action plan to settle a HIPAA right of patient access dispute. The case is the 42nd such dispute resolved by the Department of Health and Human Services since April 2019.
A California dental practice that for years revealed patient data on Yelp must stop doing so and pay federal regulators a $23,000 fine. New Vision Dental, owned by Dr. Brandon Au, must also delete social media posts and send breach notification letters to affected patients.
Updated guidance from the Federal Trade Commission and the Department of Health and Human Services aims to help clarify for mobile health app developers creating apps that process health data the privacy and security regulations that apply to their products.