TennCare Vendor Breach: A HIPAA Case Study


Conveniently announced in an end of day (Friday) news dump last week was news of a large data breach that could affect a large number of Tennessee residents. Magellan Health, Inc., the pharmaceutical management vendor used by the state’s Medicaid program, admitted to the possible exposure of data on nearly 44,000 TennCare members. As first reported by the Tennessean, the unauthorized access of a Magellan employee’s email account left sensitive information such as names, social security numbers, member IDs and prescriptions, health plans, and provider names exposed for “43,847 people”. The announcement served as a just another troubling reminder of the insufficient security standards used by those in the healthcare industry, a point further belabored by recent findings from the nonprofit ProPublica which uncovered the availability of more than 5 million patient records floating around the Internet. The Magellan breach represents an opportunity to examine the legal considerations for healthcare […]

Continue Reading

The Danger of a Monkey See, Monkey Do Approach to a Privacy Policy


Last year odds are you suddenly found your inbox inundated with nearly identical emails from different companies. The subject line and content concerned “an update to our privacy policy.” This sudden uptick in privacy policy updates coincided with the European Union’s General Data Protection Regulation going into effect. One of the immediate ramifications for companies under the GDPR umbrella was the requirement that a privacy policy be accessible, easily understandable, and include key disclosures which entailed how exactly an organization collected and used one’s personal information. Inspired by GDPR, California passed its own privacy law, the California Consumer Privacy Act (CCPA), in June of 2018. The CCPA also has very specific privacy policy requirements for businesses subject to the law. The cumulative result of stringent privacy laws like GDPR and CCPA has been an increase in consumer concern about how companies make use of their data and the desire for […]

Continue Reading

Employers Beware: The Exposure of Employee’s Information Could Get You Sued


The ubiquitous nature of high-profile and embarrassing data breaches has left many organizations scrambling to protect outsider information. Regulations like GDPR and state laws like California’s Consumer Privacy Act (CCPA) are forcing the action, persuading businesses of all sizes to take the necessary steps to protect consumer information. Yet far too often, many of these same businesses forget to protect the most obvious informational asset in their possession: the personally identifiable information (PII) of employees. Breach of Employee Information A company’s failure to protect employee PII is becoming an increasingly serious area of corporate exposure. In November of last year retail giant Nordstrom, with more than seventy-thousand workers to its name, revealed a breach involving employee information. The exposure of the employees’ personal data included sensitive information like names, social security numbers, dates of birth, salaries, and even checking account and routing numbers. In similar fashion, software company Citrix suffered […]

Continue Reading

Multi-state AG enforcement of HIPAA — a sign of what’s to come?


This article is a republication of a piece I wrote for DataGuidance, a global privacy platform, in June of this year. As one of 30 North American experts, I occasionally produce content for this resourceful tool used by privacy professionals around the world.  On 4 December 2018, 12 State Attorneys General (‘AGs’) led a joint complaint against the company Medical Informatics Engineering (‘MIE’) in the United States District Court for the Northern District of Indiana (‘the Court’), in the case State of Indiana et al v. Medical Informatics Engineering, Inc. et al (‘the MIE case’). The complaint was led over the company’s handling of a data breach in May 2015, which the AGs claimed had amounted to a violation of the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’), as well as statutes at a state level. Thomas Ritter, Associate at Thompson Burton PLLC, comments on the significance of […]

Continue Reading

Cybersecurity Basics for Any Business


According to a recent survey of US CEOs, cybersecurity represents the biggest external concern for 2019.  If organizations know cybersecurity is an issue, then why is there such a struggle to combat this universal problem? In my opinion, the answer lies within the following Tony Robbins quote, “Complexity is the enemy of execution”. Organizations view cybersecurity as a problem too complex to combat and solutions too cost prohibitive to practice. In the midst of National Small Business week, it’s only appropriate to talk about building a solid cybersecurity foundation through cost-effective practice pointers. Building a Solid Foundation What if I told you the secret to cybersecurity isn’t all about industrial firewalls and around the clock threat monitoring but a foundational methodology built on easy-to-use principles. If you’re skeptical, take the word of my friend and former FBI agent and cybersecurity expert (and newly minted author) Scott Augenbaum. “90% of the […]

Continue Reading