Did Southern Charm’s Ashley Jacobs Violate HIPAA Laws? See the Video that Led to Complaint with South Carolina … – Reality Blurb

Did Southern Charm's Ashley Jacobs Violate HIPAA Laws? See the Video that Led to Complaint with South Carolina ...
Reality Blurb
“I realized upon receiving the video that it most likely violated HIPAA regulations.” She sent the following letter to the nursing board: “To whom it may concern, attached is a video sent to me by Ashley Jacobs who is supposedly licensed as a nurse in ...

Identillect’s Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA … – Markets Insider

Identillect's Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA ...
Markets Insider
IRVINE, Calif., July 20, 2018 (GLOBE NEWSWIRE) -- Identillect Technologies Corp. (the "Company" or "Identillect") (TSX-V:ID) (OTCQB:IDTLF) (Frankfurt:8ID), a trusted leading provider of compliant email security, announced today Jellyfish Health, a ...

Identillect’s Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA Compliance – Nasdaq

Identillect's Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA Compliance
Nasdaq
(the "Company" or "Identillect") (TSX-V:ID) (OTCQB:IDTLF) (Frankfurt:8ID), a trusted leading provider of compliant email security, announced today Jellyfish Health, a HIPAA compliant software company that provides patients the ultimate streamlined ...

Identillect’s Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA Compliance – GlobeNewswire (press release)

Identillect's Delivery Trust® Implemented by Jellyfish Health for Secure Communications for HIPAA Compliance
GlobeNewswire (press release)
IRVINE, Calif., July 20, 2018 (GLOBE NEWSWIRE) -- Identillect Technologies Corp. (the "Company" or "Identillect") (TSX-V:ID) (OTCQB:IDTLF) (Frankfurt:8ID), a trusted leading provider of compliant email security, announced today Jellyfish Health, a ...

and more »

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

  • A description of the data breach
  • Categories of data subjects affected and the approximate number of individuals impacted
  • Categories and approximate number of data records affected
  • Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
  • A description of the likely consequences of the data breach
  • A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

  • Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
  • Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
  • If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

The post GDPR Data Breach Reporting Requirements appeared first on HIPAA Journal.

Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack.

The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.”

Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files.

The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July.

In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had been downloaded which potentially allowed the attackers to gain access to the protected health information of ‘more than 500’ individuals.

Recent reports suggest ransomware attacks are declining, with many cybercriminal gangs switching operations to cryptocurrency mining; however, there does not appear to be any let up in ransomware attacks on healthcare organizations.

Last week, LabCorp, the national network of clinical testing laboratories, experienced a SamSam ransomware attack. The attack was detected within 50 minutes and systems were shut down to prevent widespread file encryption. The ransomware was downloaded following a brute force remote desktop protocol (RDP) attack. It is not currently known how many patients have been impacted by the attack, although some reports suggest millions of patients’ PHI may have been compromised.

On Monday, July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that resulted in its communications system and electronic medical record system being taken out of action. The medical center took the decision to redirect ambulances for stroke and trauma victims to alternate healthcare facilities. As with the LabCorp attack, the ransomware was downloaded to the server following a brute force RDP attack. The electronic medical record systems remained offline for 10 days as a result of the attack.

The post Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients appeared first on HIPAA Journal.