Tag archive for "Penalty"
attorneys, Events, Presentations
http://nycla.org/index.cfm?section=CLE&page=CLE_Detail&itemID=2682&dateID=20120515
Location: 14 Vesey Street
Faculty:
Program Co-sponsor: NYCLA’s Cyberspace Committee
Faculty: Raj Goel, brainlink.com and Natalie Sulimani, Law Offices of Natalie Sulimani
Here’s a fantastic summary of the Phoenix Cardiac Surgery Group’s landmark HIPAA Violations penalty & settlement.
The days of small medical practices thinking they were too small for enforcement are (hopefully) over.
From JDSupra.com:
If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
OCR investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar. OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information. OCR also concluded that the physician practice did not adequately document employee training on the Privacy and Security Rules, identify a security official, conduct a risk analysis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodriquez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agreement and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security Rules.
The Utah Department of Technology Services DTS notified the Utah Department of Health UDOH on Monday the server that houses Medicaid claims was hacked. On Wednesday, the UDOH publicly announced the breach. On Friday, DTS revealed the damage:
181,604 Medicaid and Children’s Health Insurance Plan CHIP recipients had their personal information stolen.
Of those, 25,096 appear had their Social Security numbers SSNs compromised.The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012.
via Medicaid hacked: over 181,000 records and 25,000 SSNs stolen | ZDNet.
social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission FTC.The FTC charged that, while touting its security features, RockYou failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The FTC also alleged in its complaint that RockYou violated the Children’s Online Privacy Protection Act COPPA Rule in collecting information from approximately 179,000 children.In agreeing to FTC’s settlement, RockYou has been barred from future deceptive claims regarding privacy and data security, has to implement and maintain a data security program, must submit to security audits by independent third-party auditors every other year for 20 years, is barred from future violations of the COPPA Rule, is required to delete information collected from children under age 13, and must pay a $250,000 civil penalty.
via FTC fines RockYou $250,000 for storing user data in plain text | ZDNet.
Global Payments didn’t disclose what type of data had been accessed, but said it had notified “appropriate industry parties to allow them to minimize potential cardholder impact.”
News of the breach broke in the morning but Global Payments confirmed it only after the market close. Global Payments shares tumbled 9% to $47.50 a share on the New York Stock Exchange, after people involved in investigating the breach identified the company to The Wall Street Journal as the victim of the attack. The stock was halted at midday. The company is scheduled to report quarterly earnings on April 4.
The breach underscores the mazelike network of the U.S. payment system, where little-known companies play important roles in processing billions of transactions each day. Global Payments is part of a group of companies called “third-party processors,” that serve as middlemen between merchants and banks.
Global Payments was the seventh-largest “merchant acquirer” in the U.S. last year, according to the Nilson Report, a payments-industry newsletter. Merchant acquirers have contracts with retailers to handle the processing of card transactions, including debit cards, credit cards and gift cards. Such third-party processors have been the target of big hacker attacks in the past.
In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data breaches.
BCBSoTenn failed to encrypt hard drives containing voicemail files.
Is YOUR medical practice encrypting hard drives and flash drives embedded within
The settlement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf.?
ANSI (the American National Standards Institute ) has produced a phenomenal, and free, report on the financial impact of losing healthcare data.
Highly recommended that you download it from http://webstore.ansi.org/phi/
Still think HIPAA compliance is strictly for the big guys?
Still think your small medical practice or medical billing business is safe from hackers, criminals and litigators?
From the NY Times:
The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.
Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.
Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.
via New Year’s Eve Burglary Triggers Medical Records Firm’s Bankruptcy – Bankruptcy Beat – WSJ.
Ambulances turned away as computer virus infects Gwinnett Medical Center computers
By Misty Williams and Joel Anderson
The Atlanta Journal-Constitution
Gwinnett Medical Center on Friday confirmed it has instructed ambulances to take patients to other area hospitals when possible after discovering a system-wide computer virus that slowed patient registration and other operations at its campuses in Lawrenceville and Duluth.
Staff members discovered the virus Wednesday afternoon and have been working since then with outside I.T. experts to fix the problem, spokeswoman Beth Okun said. In the meantime, the health system has been forced to switch back to paperwork.
The situation is expected to last through the weekend, Okun said.
via Ambulances turned away as computer virus infects Gwinnett Medical Center computers | ajc.com.
As usual, Google engages in practices that are orthogonal to it’s self-proclaimed mission of “don’t be evil”.
Apparently, they want YOU not to be evil…while they’re free to engage in deceptive and/or unethical practices.
Being a multi-billionaire isn’t enough…until you’ve peddled Canadian drugs to Americans.
Report: Justice Dept. says Page knew about rogue drug ads
By: Elinor Mills August 26, 2011 6:10 PM PDT
Google co-founder and CEO Larry Page condoned ads from rogue online Canadian pharmacies, says a Justice Department official who led the investigation into the case and talked to The Wall Street Journal about it.
Google CEO Larry Page
(Credit: Stephen Shankland/CNET)
Earlier this week Google agreed to pay $500 million to settle the dispute with the agency over the sale of the advertising through Google’s AdWords program to foreign pharmacies targeting ads at U.S. consumers. Now, Peter Neronha, the U.S. attorney for Rhode Island, tells The Wall Street Journal that it appears Page may have been aware of the sales for several years.
“Larry Page knew what was going on,” Neronha is quoted as saying in an article today. “We know it from the investigation. We simply know it from the documents we reviewed, witnesses that we interviewed, that Larry Page knew what was going on.”
via Report: Justice Dept. says Page knew about rogue drug ads | InSecurity Complex – CNET News.
Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations
The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.
While there is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose, the Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions in order to determine appropriate restitution. This is the first settlement related to a violation of the Commonwealth’s relatively new data security regulations. While the Attorney General’s Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, that alleged breach occurred before the new data security regulations went into effect on March 1, 2010. (See our post about this consent agreement here.)
 |
Raj Goel, CISSPCTO
Brainlink International, Inc. raj@brainlink.com 917-685-7731 |
Since 2005, the Ponemon institute has released an annual study comparing the costs of data breach.
According to the latest study, lost record costs range from $ 133 to $249, depending on your industry.
In light of that, the Office Of Civil Right’s penalty for CIGNET set’s new standards at $ 946/record ($ 4.3 million / 4541 records).
This should help healthcare CSOs and CPOs get more attention from their CEOs and CFOs.
The OCR isn’t kidding about HIPAA penalties anymore.
About time.
Raj Goel, CISSP, is chief technology officer of Brainlink International, an IT services firm. He is located in New York and can be reached at raj@brainlink.com.
Each of my talks runs from 45-120 minutes.
I present the specific topic in 45 minutes, or really dive into it for 2 hours.
Multiple topics can also be combined into 2,3,4 or 6-hour sessions for 1/2-day and full-day events.
The agendas/descriptions for each of the topics is:
1) Perils of Social Media – How Facebook, Google, Twitter, Social Media & Cloud Computing are creating Threats to Privacy, Security and Liberty
Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.
We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.
We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.
2) Trends in Financial Crimes
This interactive and lively discussion presents an overview of US laws (HIPAA, Sarbanes Oxley (SOX), Gramm Leach Bliley Act (GLBA), PCI CISP Credit Card Compliance, the growing number of US state data breach notification laws). We trace the history of information security regulations and ID Theft. We examine credit theft and the threat it poses to the American banking industry, as well as the global economy and what governments around the world are doing to combat these crimes.
Special attention is paid to trends and growth in financial crimes, including:
* ID Theft
* Mortgage/Title Fraud
* SPAM /Botnet for Hire
* Credit Fraud
* Case Studies from around the world
Length: 50 minutes
3) Are you Googling your Clients’ privacy away?
This presentation addresses how various services offered by Google can become a threat to your companies’ privacy and confidentiality policies.
It deals with Google’s capabilities to capture and aggregate information with or without user knowledge. Special attention is given to Google’s key offerings such as:
* Google Searches
* GMail
* Orkut
* Google Toolbar
* Google Desktop
* Android
* Chrome Browser
* Case Studies from around the world
Length: 50 Minutes
4) Expanding your practice using LinkedIn
* This seminar will discuss Common myths about LinkedIn
* Proper uses and misuses of LinkedIn
* The power of LinkedIn Groups
* Case Studies examine different LinkedIn profiles, and how to create effective profiles
Length: 50 Minutes
5) Living in a MultiCompliance World – Part I HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and PCI-DSS compliance
This presentation provides an overview of the major federal and private information security laws and regulations in the United States.
Case studies examine the real-world impact of non-compliance, analysis of documented cases and guidance on implementing multi-compliance effectively.
Length: 90 minutes
6) Living in a MultiCompliance World – Part II
This presentation provides an ovewview of the impact the 37+ state privacy breach laws have on the federal regulations and PCI-DSS compliance. We examine the New York State Privacy Breach law in depth.
Length: 90 minutes
7) Lessons Learned From the FTC
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
Over the last decade, in the absence of a national Consumer Privacy Watchdog/Czar, the Federal Trade Commission (FTC) has set the standard for what it considers acceptable, and unacceptable behavior for companies and organizations conducting business within the United States.
The FTC doesn’t involve itself in the minutae of security standards ‘ala HIPAA, PCI, etc, nor does it dictate what protocols or technologies companies need to use. Rather, the FTC uses it’s Constitutional and Congressional mandate for regulating Interstate Commerce to hold companies accountable for their breaches.
This presentation will examine the FTC’s track record, put the sanctions in a larger context of privacy and security breaches, and most importantly, we will look at where the FTC is trending with the FTC Health Breach and RED FLAG regulations.
Length: 90 minutes
8 ) PCI Compliance is an expensive, moving target.
Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.
Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.
Pay NOW for effective, common-sense based compliance, or pay LATER in FTC fines, PCI fines and lawsuits.
Either way, you’re going to pay.
This presentation looks at a Dollars and Cents approach to PCI compliance.PCI Compliance is an expensive, moving target.
Length: 45 minutes
9) Privacy and Security Challenges With Cloud Computing for Attorneys, Accountants and Business Owners
Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.
Individual consumers and complete corporations moving to Social Media and the cloud has had a resounding impact on how our profession manages enterprise security. In this interactive event, we’ll explore strategies for managing the risks associated with:
- Data Loss Prevention
- Brand Protection
- Privacy Erosion
- Malware Protection
- FTC’s regulatory sanctions
- Guidance from the Courts, FTC, HHS and other regulatory bodies on Cloud Computing and Social Media
This has been presented twice at NYCLA(New York County Lawyers Association) and makes for a great ETHICS CLE for your law practice or Bar association.
Length: 45-90 minutes
10) Case Studies in Privacy and Security failures from around the globe
We examine large breaches from around the world (US, Canada, Japan, South Korea, Israel, UK, etc), focusing on the historical, cultural and social factors that contributed to the breach.
We also draw out the common threads that tie these breaches together, into a comprehensive narrative.
Length: 45-90 minutes
On June 2, 2011, U.S. Postal Inspectors arrested a woman on charges that she stole identifying information on about 4,500 patients from a Birmingham hospital. According to the complaint, the individual stole the patient information from Trinity Medical Center while an associate of hers was a patient at the hospital.
On July 6, 2011, the US Department of Health and Human Services announced that the University of California at Los Angeles Health System (UCLAHS) has agreed to settle HIPAA violations for $865,500
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
This presentation discusses trends in financial crimes, and the role of technology in adding a new twist to old crimes.
Information explosion has led to an exponential growth of information security breaches. Information security breach occurs when there is an unauthorized acquisition and disclosure of private information including Social Security numbers, or credit/debit card numbers. These data breaches lead to financial crimes and identity theft.
Malicious attacks on databases and incidents of online and other tech-related thefts continue to evolve in number and manner– leaving both consumers and businesses scrambling to pay for the damage to their reputations and bottom lines.
ISC(2) SecureSanAntonio – Jan 19, 2012
ISC(2) SecureDallas – Jan 20 2012
© 2012 Raj Goel, CISSP. Powered by WordPress.
