On Feb. 6, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $4.75 million settlement with New York non-profit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks.
Continue Reading OCR Continues Holding Healthcare Entities Accountable for Protected Health Information Breaches
McGuireWoods LLP
At McGuireWoods, we deliver quality work, personalized service and exceptional value. We use technology to provide efficient legal solutions and employ a diverse workforce to bring real-world and innovative perspectives to meeting our clients’ needs. With 1,100 lawyers and 21 strategically located offices worldwide, McGuireWoods uses client-focused teams to serve public, private, government and nonprofit clients from many industries, including automotive, energy resources, healthcare, technology and transportation.
Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections
On Nov. 30, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act, is not protected under the Illinois Biometric Information Privacy Act. Read on for details about this development and…
FTC Proposes Modifying Health Breach Notification Rule for Non-HIPAA Entities
Seeking to formalize its Sept. 15, 2021, Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the Federal Trade Commission proposed broadening the Health Breach Notification Rule to cover “most health apps and similar technologies that are not covered by HIPAA.” Read on for details about this proposed rule, which is…
SEC Adopts Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rules
On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for…
DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information
On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.
Read on for highlights from this rule, which goes into effect July 21 and is likely…
Five Years It Is — Illinois Supreme Court Decides BIPA Statute of Limitations
The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going
Ohio Supreme Court: Insurance Policy Does Not Cover Ransomware Attack on Software
In a unanimous decision, the Ohio Supreme Court found that a computer software company’s business owners insurance policy does not cover losses resulting from a ransomware attack on the company’s computer software systems because the attack did not cause physical loss or physical damage to the software.
Read on for background on this case and…
FCC Drops Message That Ringless Voicemails Are Subject to TCPA
On Nov. 21, 2022, the Federal Communications Commission issued a declaratory ruling and order finding that “ringless voicemails” to wireless phones are “calls” made using an artificial or prerecorded voice. Such calls, therefore, are subject to the Telephone Consumer Protection Act and callers must obtain consent before delivering such messages.
Read on to learn about…
New California Law Bans Tech Companies From Disclosing Data for State Abortion Investigations
Compliance with out-of-state investigative requests, like warrants, just got a little trickier for some California-based companies.
Read on for details and implications of a new California law that, among other things, prohibits technology and communications companies based in the state from providing user data to out-of-state authorities investigating abortions that would be legal under California
FinCEN Leader’s Remarks Focus on Securing Digital Identity
During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.
Read on for details and analysis of his remarks and proactive steps financial institutions…