Information Security & Data Breach Report November 2013 Update

Size: px
Start display at page:

Download "Information Security & Data Breach Report November 2013 Update"

Transcription

1 Information Security & Data Breach Report November 2013 Update

2 2 Information Security and Data Breach Report Headlines like State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes and Lawmakers Push for Federal Data Breach Notification Law demonstrate increasing local and national concern with information security. 1 With more regulatory bodies taking notice of data privacy events, it has become clear that companies need the proper risk management protocols in place to handle this increasingly complex environment. We are pleased to present our latest report, which is designed to provide you insights into notable breaches and identify trends with the objective of answering the following principal questions: 1. What is the total number of breaches per quarter? 2. What types of entities are experiencing breaches? 3. What is the average number of days between discovery and disclosure of a data breach? 4. What types of data are being compromised? 5. What is the average number of records per breach? 6. What are the leading causes of data breaches? 7. What is the average total cost of a data breach? METHODOLOGY USED FOR IDENTIFYING DATA BREACHES Navigant captured all major data breaches disclosed publicly during the second quarter of 2013 (April 1, 2013 June 30, 2013) for comparison against data from the prior four quarters ( Four Quarter Average ). 2 As part of the methodology, Navigant evaluated multiple sources to compile a list of breaches that took place in the United States involving a minimum of 1,000 exposed or potentially exposed records. 3 The incidents identified in this report involve breaches in which physical or electronic records were hacked, lost, stolen, or improperly exposed or discarded. DATA BREACH SCORECARD Healthcare entities accounted for the largest percentage of the data breaches in both reporting periods (Q2: 52% vs. : 45%). The average number of days between discovery and disclosure of Corporate breaches decreased to 51 days from the prior of 61 days. Hospitals experienced breaches more often than other healthcare entities across reporting periods (Q2: 34% vs. : 37%). The average number of records exposed per data breach was 56% below the four quarter average (Q2: 19,694 vs. : 44,445). There was a 47% decrease in the number of records breached between reporting periods (Q2: 1.24 million records vs. : 2.32 million records). 1. WHAT IS THE TOTAL NUMBER OF BREACHES PER QUARTER? we identified 77 breaches in Q The Q2 breaches exposed 1,240,698 records, which is 1.08 million records fewer than the prior of 2,322,263. Half of the top ten breaches in Q2 involved Government entities followed by two Healthcare breaches, two Corporate breaches and one breach in the Education sector. The top five breaches in Q2 represented over 724,000 thousand records, 58% of the total. During the prior four quarters, seven out of the top ten breaches were either Corporate or Education entities. One of the largest breaches identified in Q2 occurred at a regional medical center in California. In late 2012, the hospital contracted with a local vendor to digitize and then destroy X-Rays from patient files. The medical center learned from law enforcement in March 2013 that its files were missing. The hospital, working with local law enforcement, immediately began an internal investigation to determine what happened. The missing radiology records pertain to dates of service prior to February 2011 and may include patient names, dates of birth (DOBs), addresses, medical record numbers, physician names, diagnoses, radiology procedures, radiology interpretations, health insurance numbers and, in some instances, Social Security numbers (SSNs). In response to this incident, the company contacted all affected users and offered free credit monitoring. The medical center also set up a toll free number for those affected and implemented additional security measures to protect patients from future breaches. 2. WHAT TYPES OF ENTITIES ARE EXPERIENCING BREACHES? Our report classifies the organizations affected by data breaches into five categories: Healthcare, Corporate, Education, Government and Other. 4 These designations provide an overview of the entities that experienced a physical or electronic records breach. Across Q2 and the, Healthcare entities experienced the largest percentage of breaches identified. In Q2, Healthcare entities accounted for 52% of all breaches identified, followed by Corporate (19%), Government (16%), Education (10%), and Other (3%) (See Figure 1). For the, Healthcare entities experienced 45% of the data breaches identified, followed by Corporate (17%), Education (17%), Government (16%), and Other (5%) (See Figure 2). As part of Navigant s analysis, we further segmented Healthcare entities to get a better sense of the types of organizations affected by data breaches. The types of Healthcare entities which experienced data breaches in Q2 and the prior four quarters are shown on the following page. Hospitals are the largest single category of Healthcare data breaches; 34% in Q2 and an average of 37% in the prior four quarters. The percentage of data breaches occurring at Physician Offices declined significantly, from 25% in the to 15% in Q2. Conversely, the number of Mental Health Treatment Facility breaches increased to 15% in Q2 from only 3% in the. We identified 63 major data breaches in Q2 compared to the average of 52 from the previous four quarters, a 21% increase. This is second largest number of breaches identified in the history of this report; in our inaugural edition,

3 3 FIGURE 1: BREACHES BY TYPE OF ENTITY Other 3% Corporate 19% Education 10% A notable Healthcare data breach involving the loss of sensitive medical and personal data took place at a counseling and treatment center with several locations across southern Arizona. One of the center employees was the victim of a burglary resulting in the loss of a company laptop and external hard drive. The thief broke into the employee s home sometime in mid-march The employee, upon discovering the laptop and external hard drive were missing, filed a police report. The external hard drive contained the names, DOBs and treatment plans of over 3,000 patients who visited the centers between 2011 and Those affected by the data breach were notified by letter and offered free credit monitoring. According to news reports, it is not clear what additional remediation steps the company took following this breach. Healthcare 52% FIGURE 2: PRIOR FOUR QUARTERS BREACHES BY TYPE OF ENTITY Other 5% Corporate 17% Government 16% Education 17% 3. WHAT IS THE AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE OF A DATA BREACH? Data security regulations and the increasing danger of identity theft have elevated the importance of a timely response and disclosure after the discovery of a data breach. Forty-six states and several U.S. territories including Guam, the Virgin Islands and Puerto Rico have enacted data breach reporting requirements. Some states allow for a company to conduct a reasonable investigation of the incident before notification while other states have established specific timelines for notification. States such as North Dakota, South Carolina and Vermont have recently passed legislation strengthening their data breach notification rules. In North Dakota, the state legislature expanded the definition of personal information under House Bill No to include health insurance information and medical information. Vermont now requires financial institutions regulated by the state to provide notice of a breach to the Department of Financial Regulation. Vermont, under House Bill No. 513, must notify consumers no later than 45 days after the discovery of a data breach and the Attorney General within 14 business days. States without specific data breach notification laws include Alabama, Kentucky, New Mexico and South Dakota. Healthcare Entity Type Healthcare 45% Four Quarter Average () Hospitals (34%) Hospitals (37%) Physician Offices (15%) Physician Offices (25%) Mental Health Treatment Facility (15%) Mental Health Treatment Facility (3%) Clinics (15%) Clinics (9%) Health System (9%) Health System (10%) Home Health Services (6%) Home Health Services (7%) Surgical Center (3%) Surgical Center (1%) Dental Practice (3%) Dental Practice (6%) Rehabilitation Facility (0%) Rehabilitation Facility (2%) Government 16% Q2 Trend From The average number of days between discovery and disclosure for all breaches decreased to 54 days in Q2 from 55 days in the. We also track the average number of days between discovery and disclosure by type of entity (See Figure 3). The two entity types that experienced significant change in this metric were Corporate and Other. The significant decrease in time between discovery and disclosure for Corporate entities can be attributed to several breaches that were disclosed less than 20 days after discovery of the incidents. One of these breaches involved the largest provider of discounted phone service to low-income families. A newspaper investigation found more than 170,000 customer records from 26 different states available online. The records were identified through a Google search and included SSNs, DOBs and information about participation in other governmentassistance programs. The records were being stored online by a third party vendor who helps the company determine eligibility for the program. Of the 170,000 records; 44,000 were application or certification forms while 127,000 were supporting documents such as photos of driver s licenses, tax records,

4 4 Information Security and Data Breach Report FIGURE 3: AVERAGE NUMBER OF DAYS BETWEEN DISCOVERY AND DISCLOSURE BY TYPE OF ENTITY Corporate Education Government Healthcare Other pay stubs including bank account information or passports. The company, upon learning of the breach, removed the information from the Internet and began an internal investigation. Several hundred applicants who were at heightened risk of identity theft and those in Texas, Minnesota, Nevada and Illinois were contacted about the breach. The company established a hotline for those affected by the incident and has offered free credit monitoring to those most at risk. Currently, both federal and state authorities require that entities holding personal health information must disclose that a data breach has occurred. The Department of Health & Human Services (HHS) issued data breach regulations in August At the same time, similar breach notification regulations were issued by the Federal Trade Commission (FTC). As part of directives under the Health Information Technology for Economic and Clinical Health (HITECH) Act, finalized in January 2013, both the HHS and the FTC require HIPAA-covered entities to provide notification following a breach of protected health information no later than 60 days after the incident. 5 Our analysis shows the average number of days between discovery and disclosure of breaches of medical records was 70 days for the prior four quarters compared to 64 days in Q2, representing a 9% decrease. 4. WHAT TYPES OF DATA ARE BEING COMPROMISED? The types of data being compromised include personally identifiable information (PII), such as names, DOBs, name or SSNs; protected health information (PHI), such as information related to medical conditions, the provision of healthcare, or payment for the provision of healthcare; and financial information, such as bank account or credit card numbers. We identified several categories of data commonly at risk in data breaches including: Names, Contact information, SSNs, DOBs, Medical records, Credit Cards, addresses, Financial information and Miscellaneous information (See Figure 4). Many of the incidents identified in this report have multiple types of data associated with each breach. In Q2, the percentage of breaches involving some of the most sensitive data was below the Four Quarter Average, including SSNs (Q2: 52% vs. : 56%) and DOBs (Q2: 40% vs. : 42%), Healthcare entities accounted for over 68% of the total breaches involving DOBs in Q2. A breach that involved almost 6,000 patient records containing PHI and other data took place at a pediatric primary care clinic in Florida. In April 2013, the clinic, part of a university health system, was notified by federal authorities and the Secret Service that an employee potentially accessed patient medical records as part of an identity theft ring. The employee may have used the records to steal personal information including names, addresses, DOBs and SSNs. The university began an internal investigation and immediately terminated the employee. The employee s job description permitted access to patient records. The university clinic, out of caution, set up a toll free hotline to answer questions and offered identity theft monitoring services for one year. It is not clear from news reports what steps, if any, the clinic took to enhance its protocols and security measures concerning patient record access. FIGURE 4: BREACHES BY TYPE OF INFORMATION Name Contact SSN DOB Medical 50 Credit Card Financial Misc

5 5 Breaches of medical information, on the other hand, were above the (Q2: 49% vs. : 48%). 5. WHAT IS THE AVERAGE NUMBER OF RECORDS PER BREACH? Navigant has calculated the average number of records per breach by type of entity (See Figure 5). This analysis revealed that the average number of records per breach was 56% lower in than the previous four quarters (: 44,445 vs. Q2: 19,694). The largest change between reporting periods was an 81% decrease for Other entities (: 25,454 vs. Q2: 4,863). The average number of records per breach for Corporate entities in Q2 decreased 69% from the prior four quarters (: 75,340 vs. Q2: 23,517). Government entities experienced a 58% decline from 89,392 records in the prior four quarters to 37,271 records in Q2. The average number of records per breach for Education entities was 53,948 during the prior four quarters versus 28,350 in Q2, a decrease of 47%. Healthcare entities averaged 15,518 records during the prior four quarters compared to 12,302 records in Q2, a 21% decrease. FIGURE 5: AVERAGE RECORDS PER BREACH BY TYPE OF ENTITY FIGURE 6: BREACHES BY TYPE OF METHOD Unauthorized access/use 18% Theft 25% Virus 6% Hack 18% Public Access or Distribution 22% Loss 11% FIGURE 7: BREACHES BY TYPE OF METHOD Unauthorized Access/Use 13% Virus 4% Hack 19% Improper Disposal 3% 75,340 89,392 Loss 11% 53,948 23,517 28,350 37,271 12,302 15,518 4,863 25,454 Theft 35% Public Access or Distribution 15% Corporate Education Government Healthcare Other 6. WHAT ARE THE LEADING CAUSES OF DATA BREACHES? The different causes of a data breach are summarized into seven major categories: Virus, Hacking, Loss, Theft, Public Access/ Distribution, Unauthorized Access/Use, and Improper Disposal. 6 The relative volume of data breach methods used in Q2 are shown in Figure 6. The had a similar break-out (See Figure 7). In Q2, Public Access or Distribution, Unauthorized Access/Use and Virus were trending up compared to the ; however Theft was trending downward and Hacking and Loss were essentially unchanged. Looking at the data by method of breach and type of entity, we identified some interesting statistics. Across both reporting periods, 67% of Thefts took place at Healthcare entities. In the prior four quarters, 40% of breaches at Education entities involved Public Access or Distribution and only 16% in Q2. Government entities were most often hit with breaches involving Hacking or Public Access or Distribution across both reporting periods. In the prior four quarters, 22% of Coporate entity breaches involved Unauthorized Access/Use, but in Q2 this method accounted for only 17%.

6 6 Information Security and Data Breach Report A western state s administrative court system was breached by hackers exposing up to 160,000 SSNs and possibly one million driver s license numbers. The hack happened sometime in September 2012 but was not detected until early The court system launched an internal investigation and discovered that hackers gained access to data through a commercial software program used by the state. The state immediately patched the software and disclosed the breach in Q2. Those affected by the breach were from two specific groups. The first group includes individuals who were booked into jail between September 2011 and December 2012 and had their name and SSN accessed. The second group includes individuals who received a DUI citation in the state between 1989 and 2011, had a traffic case resolved between 2011 and 2012, or had a criminal case filed against them that was resolved in 2011 and The state, following its investigation, took several steps to increase security of its records including isolating sensitive data to more protected areas and implementing additional code to detect hackers and new encryption rules. The state also set up a website and toll free hotline to answer questions about the incident. Navigant also tracked the format of breached records in three categories: physical, electronic and a combination of both. Electronic records are defined as those that may be accessed via CD-ROM, laptop, thumb drive, other media devices, , website or server. In Q2, 79% of the records compromised were electronic, 16% were physical records and 5% were unknown. Across the, 83% of compromised records were electronic while 13% were physical records. 1% were classified as a combination of both electronic and physical records, while 3% were in an unknown format. 7. WHAT IS THE AVERAGE TOTAL COST OF A DATA BREACH? Cost may be the first concern of an organization in the wake of a data breach. One of the foremost studies on this issue is published by the A community college in Iowa suffered a data breach affecting more than 125,000 current and former students on March 13, Hackers were able to gain access to student application records from February 2005 to March 2013 by accessing the course-application portal. The application information included applicant names, DOBs, race, contact information and SSNs. According to news reports, once the college identified the breach, it notified the FBI and contracted a data security firm. Following the investigation, the college began to contact those affected in early April with a letter explaining the breach and offering identity theft monitoring free of charge. Using the Ponemon Institute study estimates, the total cost of this data breach might be as high as $24 million. Following the breach, the college took down the course-application portal for almost four weeks to improve its security. Ponemon Institute provides statistics regarding the total costs of a data breach. Costs may include detection, discovery, notification, potential legal costs, ex-post costs, loss of customers, and/or brand damage, but will vary with each specific breach. For purposes of this report, Navigant used the Ponemon cost per record to estimate the average total cost of a data breach by type of entity and method of breach. 7 The average total cost of a data breach in Q2 was $3,702,400, a 56% decrease from the of $8,355,700. Some notable results from the analysis of average total cost of a data breach by entity were (See Figure 8): In Q2, Government ($7,006,967), Education ($5,329,863) and Corporate ($4,421,212) entities were above the average total cost of $3,702,400. Healthcare and Other entities were below the average by 38% and 75% respectively. At, $16,805,713, Government entities costs were more than double the total cost. Corporate ($14,163,993) and Education ($10,142,160) entities were also above the average total cost, while Healthcare and Others entities were below the average. FIGURE 8: AVERAGE TOTAL COST BY TYPE OF ENTITY $16,805,713 $14,163,993 $10,142,160 $7,006,967 $4,421,212 $5,329,863 $2,312,713 $2,917,398 $914,150 $4,785,284 Corporate Education Healthcare Other

7 7 FIGURE 9: AVERAGE TOTAL COST BY TYPE OF BREACH $20,302,236 $11,802,550 $7,558,443 $6,901,514 $6,769,799 $6,688,241 $4,834,554 $3,355,800 $3,984,370 $2,966,146 $1,714,454 $1,094,809 $213,756 $697,010 Hack Improper Disposal Loss Public Access or Distribution Theft Unauthorized Access/Use Unknown Virus The average total cost of a data breach varied widely by type of entity between quarters. Average cost for Other entities was $914,150 in Q2 from $4,785,284 in the prior four quarters, an 81% decrease, the largest between reporting periods. Corporate entities decreased 69%, from the of $14,163,993 to $4,421,212 in Q2. Government entities decreased 58% from $16,805,713 during the period to $7,006,967 in Q2. Education entities decreased their average total cost by 47% between reporting periods (: $10,142,160 vs. Q2: $5,329,863). The average total cost for Healthcare entities decreased 21% (: $2,917,398 vs. Q2: $2,312,713). Navigant also calculated the average total cost by method of breach (See Figure 9). Hacking (: $20,302,236 vs. Q2: $6,901,514), showed the most significant decrease in costs from the to Q2. Virus saw the largest percentage decrease between reporting periods, a 90% reduction (: $6,688,241 vs. Q2: $697,010). The other categories with significant reductions in average cost included Theft, Loss and Unauthorized Access/Use. In Q2, Hacking ($6,901,514) was the most expensive type of breach, followed by Loss ($6,769,799) and Public Access or Distribution ($4,834,554). For the, Hacking ($20,302,236) was again the most expensive type of breach, followed by Loss ($11,802,550) and Public Access or Distribution ($7,558,443).

8 8 Information Security and Data Breach Report SPOTLIGHT ON NOTABLE BREACHES Company/Organization: Drupal.org Industry: Internet Record Type: Electronic Method: Hacking Size of Breach: 1 Million User Accounts Type of Data Breached: Addresses, User Names, Passwords Drupal.org, a popular open-source content website, was hacked in May The Portland, Oregon based collective said a routine security audit found that hackers had installed malicious software on its website allowing others to look through account information. Drupal, following the hack, shut down both drupal. org and groups.drupal.org before beginning a forensic security review. The company notified users of the intrusion on its website and required those logging into the site to change their passwords to gain access. According to news reports, the hack involved 1 million users and the files breached contained user names, addresses, countries where users live and hashed passwords. Following the incident, the company took several steps to improve security including scanning for malicious or dangerous files and creating a static archive of older files. 1 State Attorneys General Are Crucial Force in Enforcement of Data Breach Statutes, Bloomberg BNA (October 7, 2013) and Lawmakers Push for Federal Data Breach Notification Law, PC World (July 18, 2013) includes Q Q For purposes of this study Living Social, Drupal Association, Facebook and Scribd were considered outliers in the last quarter and thus not reported as part of the quarterly data. The Drupal breach is discussed under the Notable Data Breaches section of this report. Quarterly data reported in prior studies may change when information regarding breaches is identified or amended. 4 Insurance companies are classified as Corporate entities for the purposes of this study, although protected health information may be included in breach incidents involving insurance companies A Virus is an intrusive malware that infects computers, servers and networks. A virus often carries out unwanted operations on a host computer. A virus could be used for hacking or it could be unintentionally loaded into a system and cause damage. Hacking occurs when a group or individual attempts to gain unauthorized access to computers or computer networks and tamper with operating systems, application programs, and databases. Unauthorized Access/Use is designated when an employee, contractor or volunteer of an organization wrongfully accesses or uses records. Improper Disposal occurs when either physical records or electronic media are not properly disposed and could be accessed by other parties. A Theft involves physical records or electronic media that have been stolen or taken from an organization without permission by an employee or other party. Loss is designated when either physical records or electronic media have been lost and cannot be located by the organization. Public Access or Distribution occurs when records or data are made available publicly or to inappropriate parties. This includes data made accessible via a server, website or network and sent to inappropriate recipients via paper or electronic methods Cost of Data Breach Study United States, Ponemon Institute LLC, May The total average cost per compromised record was $188. For purposes of this study, we estimated the total cost of each data breach using this figure calculated by the Ponemon Institute.

9 9 ABOUT NAVIGANT Navigant (NYSE: NCI) is a specialized independent consulting firm providing dispute, financial, investigative, regulatory and operations advisory services to government agencies, legal counsel and large companies facing the challenges of uncertainty, risk, distress and significant change. The Company focuses on industries undergoing substantial regulatory or structural change and on the issues driving these transformations. CONTACT» For questions related to the data presented herein: Lead Data Breach Forensic Investigators Steven Visser svisser@navigant.com Greg Osinoff, Esq greg.osinoff@navigant.com Daren Hutchison dhutchison@navigant.com Strategic Initiative Contacts Scott Paczosa scott.paczosa@navigant.com Jonathan Drage jonathan.drage@navigant.com Darin Bielby dbielby@navigant.com Research Lead Bill Schoeffler bschoeffler@navigant.com navigant.com The authors would like to thank Vanessa Nelson Meihaus and Angela Krulc for their invaluable assistance. Both specialize in practice specific and general business development research in Navigant s Research Services Group. Brad Pinne bpinne@navigant.com Bill Hardin bill.hardin@navigant.com Cuyler Robinson crobinson1@navigant.com 2013 Navigant Consulting, Inc. All rights reserved Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See for a complete listing of private investigator licenses.

Information Security & Data Breach Report 2011 / 2012 Annual Review

Information Security & Data Breach Report 2011 / 2012 Annual Review Information Security & Data Breach Report 2011 / 2012 Annual Review 2 Information Security and Data Breach Report Data breaches and large scale cyber attacks continue to make headlines for entities of

More information

Information Security & Data Breach Report November 2012 Update

Information Security & Data Breach Report November 2012 Update Information Security & Data Breach Report November 2012 Update 2 Information Security and Data Breach Report The impact of data breaches continues to be discussed in boardrooms across America as well as

More information

Information Security & Data Breach Report June 2012 Update

Information Security & Data Breach Report June 2012 Update Information Security & Data Breach Report June 2012 Update 2 Information Security and Data Breach Report Data breaches continue to be one of the Achilles heels for corporations as these incidents become

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies

More information

DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL

DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL DATA PRIVACY ENFORCEMENT EFFORTS BY STATE ATTORNEYS GENERAL State AGs have been very active in the leadership of data privacy protection initiatives across the country, and have dedicated considerable

More information

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013 Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Health Care Data Breach Discovery Strategies for Immediate Response

Health Care Data Breach Discovery Strategies for Immediate Response Health Care Data Breach Discovery Strategies for Immediate Response March 27, 2014 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Sarah Flanagan Partner

More information

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Data Breach Cost. Risks, costs and mitigation strategies for data breaches Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Data Breach and Senior Living Communities May 29, 2015

Data Breach and Senior Living Communities May 29, 2015 Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

A-79. Appendix A Overview and Detailed Tables

A-79. Appendix A Overview and Detailed Tables Table A-8a. Overview: Laws Expressly Granting Minors the Right to Consent Disclosure of Related Information to Parents* Sexually Transmitted Disease and HIV/AIDS** Treatment Given or Needed Alabama 14

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

HIPAA Compliance. 2013 Annual Mandatory Education

HIPAA Compliance. 2013 Annual Mandatory Education HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health

More information

HIPPA Goes HITECH. Data Protection for Agents

HIPPA Goes HITECH. Data Protection for Agents HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation. 13-0127 Course objectives Agents will be able

More information

HCCA Compliance Institute 2013 Privacy & Security

HCCA Compliance Institute 2013 Privacy & Security HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session

More information

Privacy Rights Clearing House

Privacy Rights Clearing House 10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

More information

HIPAA Privacy and Security and Research

HIPAA Privacy and Security and Research ICTS Brown Bag Seminar Successful Completion: Participants must complete an evaluation form to receive a certificate of completion Contact Hours: 1 contact hours is available to those who meet the successful

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

Common Data Breach Threats Facing Financial Institutions

Common Data Breach Threats Facing Financial Institutions Last Updated: February 25, 2015 Common Data Breach Threats Facing Financial s Although exact figures are elusive, there is no question that the number of data security breaches both reported and unreported

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

Privacy Legislation and Industry Security Standards

Privacy Legislation and Industry Security Standards Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,

More information

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :

More information

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed

More information

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016

The Future of Data Breach Risk Management Response and Recovery. The Cybersecurity Forum April 14, 2016 The Future of Data Breach Risk Management Response and Recovery Increasing electronic product life and reliability The Cybersecurity Forum April 14, 2016 Today s Topics About Merchants Information Solutions,

More information

Student Data Breaches: Is Your District Prepared?

Student Data Breaches: Is Your District Prepared? Student Data Breaches: Is Your District Prepared? Colleen A. Sloan, Esq., Manager, Labor Relations and Associate School Attorney JoAnn Balazs, Director, Management Services Janell Hallgren, Manager, Policy

More information

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir.

Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir. Data Breach Strikes - Nerds & Geeks Unite: Effective Cooperation Between Privacy and Technical Experts Presented by: Paul H. Luehr, Managing Dir. Stroz Friedberg Gerard M. Stegmaier, Esq. Wilson Sonsini

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Guadalupe Regional Medical Center

Guadalupe Regional Medical Center Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address

More information

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH MANAGEMENT POLICY PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department

More information

Computer Security at Columbia College. Barak Zahavy April 2010

Computer Security at Columbia College. Barak Zahavy April 2010 Computer Security at Columbia College Barak Zahavy April 2010 Outline 2 Computer Security: What and Why Identity Theft Costs Prevention Further considerations Approach Broad range of awareness Cover a

More information

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security 2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

Network Security & Privacy Landscape

Network Security & Privacy Landscape Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division

More information

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520 AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies

More information

Managing Cyber & Privacy Risks

Managing Cyber & Privacy Risks Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past

More information

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com

Data Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute

More information

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape

Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Presented by Rachel Ratcliff OM03 Saturday, 10/5/2013 9:30 AM - 10:45 AM Cybercrime: Protecting Your Digital Assets in Today s Threat

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

HIPAA Privacy and Information Security Management Briefing

HIPAA Privacy and Information Security Management Briefing HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)

More information

Your Agency Just Had a Privacy Breach Now What?

Your Agency Just Had a Privacy Breach Now What? 1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015 SMB Data Breach Risk Management Best Practices By Mark Pribish February 19, 2015 Presentation Agenda About Mark Pribish Information Governance The Threat Landscape Data Breach Trends Legislative and Regulatory

More information

Imagine discovering at the end of the day that your wallet is missing. Your driver s license, credit cards

Imagine discovering at the end of the day that your wallet is missing. Your driver s license, credit cards EMPLOYMENT LAW Update Data Security Breaches: Are Your Human Resources Policies Equipped to Avoid and/or Repair the Damage? By Daniel Klein, Esq. INTRODUCTION Imagine discovering at the end of the day

More information

Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution

Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution Government Focus on Cybersecurity Elevates Data Breach Legislation by Experian Government Relations and Experian Data Breach Resolution Will Congress pass data breach legislation in 2015/2016? Recent high-profile

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

Data Security Breach Notice Letter

Data Security Breach Notice Letter View the online version at http://us.practicallaw.com/3-501-7348 Data Security Breach Notice Letter DANA B. ROSENFELD & ALYSA ZELTZER HUTNIK, KELLEY DRYE & WARREN LLP A letter from a company to individuals

More information

Roxio Secure Solutions for Law Firms

Roxio Secure Solutions for Law Firms Roxio Secure Solutions for Law Firms Law firms can easily protect sensitive data stored on CD, DVD, Blu-ray Disc and USB flash media with Roxio Secure Solutions Introduction Law firms and their clients

More information

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy

More information

Compromises in Healthcare Privacy due to Data Breaches

Compromises in Healthcare Privacy due to Data Breaches Compromises in Healthcare Privacy due to Data Breaches S. Srinivasan, PhD Distinguished Professor of Information Systems Jesse H. Jones School of Business Texas Southern University, Houston, Texas, USA

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

HIPAA and Privacy Policy Training

HIPAA and Privacy Policy Training HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training

More information

Data Breach 101 How to Avoid a Virtual Catastrophe

Data Breach 101 How to Avoid a Virtual Catastrophe Data Breach 101 How to Avoid a Virtual Catastrophe Presented by Eduard Goodman, J.D., LL.M., CIPP Chief Privacy Officer In partnership with IDentity Theft 911 is solely responsible for the content of this

More information

How to Prepare for a Data Breach

How to Prepare for a Data Breach IT Forum How to Prepare for a Data Breach Expediting Response and Minimizing Losses Presentation for SURA IT Committee November 5,,2014 Laura Whitaker, Senior Research Director eab.com Getting to Know

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

Beazley presentation master

Beazley presentation master The Art of Breach Management Beazley presentation master February 2008 A Brief Review of Data Breaches What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity

More information

DATA BREACH INCIDENT RESPONSE WORKBOOK. For Questions or Immediate Help With a Data Breach, Call 1.877.441.3009

DATA BREACH INCIDENT RESPONSE WORKBOOK. For Questions or Immediate Help With a Data Breach, Call 1.877.441.3009 DATA BREACH INCIDENT RESPONSE WORKBOOK For Questions or Immediate Help With a Data Breach, Call 1.877.441.3009 Notice to Readers This workbook is not intended as legal advice and AllClear ID encourages

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

How To Protect Your Data From Theft

How To Protect Your Data From Theft Understanding the Effectiveness of a Data Protection Program IIA: Almost Free Seminar 21 June 2011 Agenda Data protection overview Case studies Ernst & Young s point of view Understanding the effectiveness

More information

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act.

HIPAA/ HITECH HEALTH INSURANCE PORTABILITY ACCOUNTABILITY ACT. and. Health Information Technology for Economic and Clinical Health Act. HIPAA/ HITECH HEALTH INSURANCE PORTABILITY and ACCOUNTABILITY ACT Health Information Technology for Economic and Clinical Health Act Revised 4/4/14 1 Your Accountability Quality Care Compliance Reputation

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You By: Emilio Cividanes, Venable LLP Partner and Co-Chair Regulatory Practice Group Paul Luehr, Stroz Friedberg Managing Director

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr. Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

Mastering Data Privacy, Protection, & Forensics Law

Mastering Data Privacy, Protection, & Forensics Law Mastering Data Privacy, Protection, & Forensics Law April 15, 2015 Data Breach Notification and Cybersecurity Developments in 2015 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy

More information

Medical Information Breaches: Are Your Records Safe?

Medical Information Breaches: Are Your Records Safe? Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

January 2007. An Overview of U.S. Security Breach Statutes

January 2007. An Overview of U.S. Security Breach Statutes January 2007 An Overview of U.S. Security Breach Statutes An Overview of U.S. Security Breach Statutes Jeffrey M. Rawitz and Ryan E. Brown 1 This Jones Day White Paper summarizes what is generally entailed

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, 2011. Sponsored by:

ANATOMY of a DATA BREACH DISASTER. Avoiding a Cyber Catastrophe. June, 2011. Sponsored by: ANATOMY of a DATA BREACH DISASTER Avoiding a Cyber Catastrophe June, 2011 Sponsored by: ANATOMY of a DATA BREACH DISASTER Avoiding a Cyber Catastrophe An Advisen Special Report Sponsored by Chartis Security

More information

Cyber Liability & Data Breach Insurance Claims

Cyber Liability & Data Breach Insurance Claims Cyber Liability & Data Breach Insurance Claims A Study of Actual Payouts for Covered Data Breaches Mark Greisiger President NetDiligence June 2011 Last year, privacy breaches ran about 1-2 per week. This

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare

More information

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a

More information

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell

Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Who s Afraid Of A Big Bad Breach?: Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Overview Identifying the laws that protect personal information and protected

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Global Cyber Crime is the fastest growing economic crime Cyber Crime is more lucrative than trafficking drugs!

More information

Mastering Data Privacy, Social Media, & Cyber Law

Mastering Data Privacy, Social Media, & Cyber Law Mastering Data Privacy, Social Media, & Cyber Law October 22, 2014 Data Breach Notification and Cybersecurity Developments in 2014 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy

More information

Personal Information Protection Act Information Sheet 11

Personal Information Protection Act Information Sheet 11 Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores

More information

Privacy Law Basics and Best Practices

Privacy Law Basics and Best Practices Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?

More information

Special Report The HITECH Act

Special Report The HITECH Act Special Report The HITECH Act Privacy and Data Breach Notification Provision An Overview of the HITECH Act On February 17, 2009, President Obama signed into law the $787 billion stimulus package known

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

HIPAA Breach Notification Policy

HIPAA Breach Notification Policy HIPAA Breach Notification Policy Purpose: To ensure compliance with applicable laws and regulations governing the privacy and security of protected health information, and to ensure that appropriate notice

More information

DATA BREACH CHARTS (Current as of December 31, 2015)

DATA BREACH CHARTS (Current as of December 31, 2015) DATA BREACH CHARTS (Current as of December 31, 2015) The charts below provide summary information about data breach notification statutes across the country. California adopted the first data breach notification

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information