data breach notification

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.

The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services. Continue Reading Oh No, Not Again…Chalk Up Yet Another Health Data Breach

As reported in a Privacy and Security Matters post last week, we maintain a summary of the U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.”   We update the Mintz Matrix on a quarterly basis, or more frequently if necessary.  The Mintz Matrix is available here.  This update includes new information about Kentucky and Iowa laws.

We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.