When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and

Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under

For over 100 years, the National Association of Insurance Commissioners (NAIC) has been developing model legislation to encourage uniformity among states for the regulation of insurance products.  The NAIC model laws and guidelines are proposed statements of insurance regulation for all 50 states as well as the other jurisdictions (such as D.C. and Guam).  Once passed, states can choose to adhere to the NAIC’s model laws fully, with modifications, or not at all.  If a state chooses to adopt the model law, its adoption will apply to all insurance carriers, managing general agents, agencies, and producers operating in that state. Continue Reading Navigating Cybersecurity and Data Privacy Regulations in the Insurance Industry

Last week, Merck & Co. filed documents with the Supreme Court of New Jersey indicating that it reached a settlement with its “all risk” property insurers in a long-running coverage dispute involving over $1.4 billion in losses stemming from a 2017 NotPetya cyberattack that impacted tens of thousands of Merck computers. Read on for analysis

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.

On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely

Cyberattacks on corporate networks are on the rise, and the ramifications from such attacks can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across industries aimed at preventing breaches jumping 51%. And while businesses suffering cyberattacks

In a unanimous decision, the Ohio Supreme Court found that a computer software company’s business owners insurance policy does not cover losses resulting from a ransomware attack on the company’s computer software systems because the attack did not cause physical loss or physical damage to the software.

Read on for background on this case and

On July 8, 2022, the U.S. Department of Justice announced a $9 million
settlement with federal government contractor Aerojet Rocketdyne, Inc. for
alleged violations of the False Claims Act in a case pending in the Eastern
District of California. The settlement results from alleged false
statements by Aerojet related to compliance with Department of Defense