Legal News

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes.

The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach.

The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated.

The costs associated with the privacy breach are mounting and Aetna does not believe it should have to cover costs resulting from the (alleged) negligence of a third-party. The health insurer is seeking at least $20 million in damages from the administrative support company – Kurtzman Carson Consultants (KCC) – whose error resulted in the privacy breach.

In the lawsuit, Aetna claims the firm’s errors and omissions amounted to gross negligence and that KCC should have been aware that HIV medication information was detailed under the names and addresses of its plan members. Aetna claims no checks were performed to determine how much information was visible through the windows of the envelopes. Aetna also claims KCC did not communicate to Aetna that envelopes with clear plastic windows were being used for the mailing, and that Aetna’s lawyers were not consulted to give their approval of the mailing.

Aetna did try to resolve matters directly with KCC and sought indemnification; however, the talks failed prompting Aetna to take legal action.

Aetna is seeking a ‘hold harmless’ ruling which will see the Aetna protected from all liability, damages, payments and claims related to the mailing. With the outcome of other lawsuits pending, further investigations being conducted by state attorneys general, and a potential HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights, the final cost of the mailing error is likely to be well in excess of $20 million.

In addition to seeking damages, Aetna is also trying to get KCC to return or destroy all confidential information provided to allow the firm to process the mailing.

KCC denies the allegations and its general counsel, Drake Foster, said Aetna’s claims are ‘demonstrably false.’

It is not only Aetna taking legal action against KCC over the mailing fiasco. A subsidiary of KCC has also filed a lawsuit against Aetna claiming the health insurer failed to protect the privacy of its plan members. The lawsuit was filed in Los Angeles federal court the day after Aetna’s lawsuit was filed in Philadelphia federal court.

In its lawsuit, KCC claims Aetna and its lawyers at Gibson Dunn & Crutcher were provided with samples of the letters and were aware that envelopes with clear plastic windows were being used. KCC claims the letters and the use of the envelopes were both approved.

KCC also claims the confidential information it received in order to send the mailing was not subject to a protection order, and neither was all of the information encrypted during transit to KCC via Gibson Dunn. KCC also claims Aetna shared more information than was necessary to send the mailing: A breach of the minimum necessary standard of HIPAA.

KCC is seeking a declaration that it is not responsible for any of the costs arising from the privacy breach and that all of its legal costs should be covered by Aetna.

The post Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach appeared first on HIPAA Journal.

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers.

The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack.

The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced.

According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority.

It was not only the scale of the Equifax breach that was galling for Se. Morfield, but the actions of Equifax following the breach. The company only provided 12 months of free credit monitoring services to breach victims, after which consumers would be charged to protect themselves. Many consumers were also forced to pay out of pocket to freeze their accounts, as those services were not provided free of charge. While free credit monitoring services were offered, chargeable credit freezes were advertised on the same site.

Nebraska Attorney General Doug Peterson also spoke out about the actions of Equifax, claiming the firm was “seemingly using its own data breach as an opportunity to sell services to breach victims.”

The bill proposes credit reporting agencies should not be permitted to charge consumers fees for placing and removing credit freezes on accounts” after a credit reporting agency experiences a security breach that exposes consumer data.

The bill originally called for such breaches to require a lifetime of free credit reporting services to be provided to breach victims, although that attracted considerable criticism from the industry and the bill was amended.

In addition to free credit reporting and credit freezes, the bill would require credit agencies to maintain “reasonable security procedures and practices,” to ensure the confidentiality of any consumer data held, and also for any third-party companies that are provided with consumer data by the agencies to also ensure they have reasonable security measures in place. The bill would give the state attorney general greater powers to pursue legal action against companies and collect damages on behalf of consumers.

While the bill is primarily concerned with protecting consumers from data breaches experienced by credit monitoring and reporting agencies, the bill requires any “individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains data that includes personal information about a resident of Nebraska,” to implement and maintain reasonable security measures to protect the data of state residents.

If a company or organization complies with federal legislation that provides the same or greater levels of protection for consumers, it would be deemed to be in compliance with the requirements of Legislative Bill 757 – For example, organizations that comply with the Gramm-Leach-Bliley Act or HIPAA.

While there was a unanimous vote in favor of the bill, some Senators were concerned about the impact such a bill would have on consumers and the credit monitoring and reporting industry. Some senators have requested further information on the bill, with Sen. Paul Schumacher of Columbus concerned that the bill may result in significant cost increases for consumers. However, despite concerns, the bill was passed 34-0.

Before the bill is written into the state legislature it is required to pass two further votes.

The post Nebraska Personal Information Bill Advances After 34-0 First Round Vote appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.

Breach Notification Bill Passes South Dakota Senate Judiciary Committee

At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature.

The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data.

If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization.

Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing, distribution, and content of the breach notification sent to affected residents.

How This Might Affect HIPAA-Covered Entities

Although the bill mostly uses HIPAA´s definition of Protected Health Information to determine what constitutes “personal data”, the definition of biometric data is slightly amended to “that generated from measurements or analysis of human body characteristics for authentication purposes”.

A more significant dissimilarity with the HIPAA is that affected residents of South Dakota have to be notified of a breach within sixty days, rather than the ninety days mandated by the Breach Notification Rule. There is also the requirement to notify consumer reporting agencies of a breach affecting more than 250 residents (rather than informing HHS of breaches involving more than 500 records).

HIPAA-Covered Entities and Business Associates maintaining the personal data of South Dakota residents will be deemed to be in compliance with the proposals unless it is subsequently proven otherwise. Organizations unsure about their HIPAA Compliance should seek professional advice as the proposed penalties for non-compliance with South Dakota´s breach notification law are significant.

Penalties for Non-Compliance with the Proposed Bill

The bill places the responsibility for investigating non-compliance with the South Dakota Attorney General´s Office, and gives the Attorney General the authority to impose a civil penalty of up to $10,000 per violation per day plus the costs of pursuing civil action.

The bill also allows the State to impose civil penalties of up to $2,000 per violation per day under it “Deceptive Trade Practices and Consumer Protection Law” (§37-24-27). The criteria for falling foul of this law is that a company knew, or should have known, it had a legal duty to notify consumers of a breach of their personal information.

The post Breach Notification Bill Passes South Dakota Senate Judiciary Committee appeared first on HIPAA Journal.

New Bill Proposes to Amend Iowa Breach Notification Act

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach.

Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering.

The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach.

Medical and Health Insurance Information to be Included

Currently, entities experiencing a data breach only have to notify the Attorney General´s office if the data breached includes a social security number, a driver license number, or unique biometric data – or if the breach includes financial data that “in combination with any required expiration date, security code or password would permit access to an individual´s financial account”.

AG Miller´s amendment proposes to remove the “in combination with” requirement, so any breach of financial data is notifiable. It will also add medical information, health insurance information and personal information such as tax identification numbers to the list of notifiable breaches. There is also a proposal to change the current notification period of “without reasonable delay” to forty-five days.

Loopholes Closed over Encryption and Personal Harm Exclusions

Other proposed changes to the Iowa Breach Notification Act include closing some of the loopholes entities can use to avoid notifying the Attorney General´s office of a breach. Currently an entity does not have to report a breach if the accessed data is encrypted. If AG Miller´s proposals are enacted, this exclusion will only apply if data is encrypted to 128-bit standard or higher.

Entities can also avoid reporting a breach if it can be shown there is a reasonable likelihood the breach will not result in “financial harm” to individuals. The amendment proposes the removal of the word “financial” (so a breach with the potential for “any harm” now has to be notified) and stipulates that, if it is determined no harm is reasonably likely, a written justification of the determination should be sent to the Attorney General´s office within five days.

Will the Amendment Result in Better Protection for Iowa Residents?

Announcing the introduction of the amendment, assistant Iowa Attorney General Nathan Blake said; “We wanted to make sure the laws on the books are protecting consumers sufficiently.” However, rather than enhance consumer protection, the proposed amendment to the Iowa Breach Notification Act does little more than close loopholes that should not have been present in the original legislation.

The likely outcome is that Iowa residents will be no better protected against data theft than they are now, and that the number of data breaches reported in Iowa will increase. Quite possibly – in the long term – an increase in reported breaches may result in tougher data protection laws being introduced. However, in the short term, the only issue the amendment will resolve is whether there has been significant under-reporting of data breaches in Iowa since 2014.

The post New Bill Proposes to Amend Iowa Breach Notification Act appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote.

Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law.

The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement.

Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be harmed as a result of the breach.

A breach is defined as “The acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The law would apply to personal information, which is limited to the full name or initial and last name in conjunction with the following data elements:

Social Security number, driver’s license number, unique government ID number, medical information, health insurance information, employment ID number with associated security code, account or credit/debit card numbers in conjunction with security codes, passwords, PINs or access codes that would permit access to those accounts, biometric data used for authentication purposes, and email addresses, in combination with passwords/security question answers, or other information that permits access to an online account.

The breach notifications would need to be made in writing or electronically if the breach victim is usually contacted in that manner. If the cost of notification exceeds $250,000 or more than 500,000 individuals have been impacted, or if insufficient contact information is held on the breach victims, a substitute breach notice would be acceptable. Substitute notices would need to include an email notice – if a valid email address is held, a conspicuous posting on the entity’s website, and a notice to statewide media. Breaches impacting more than 250,000 individuals would also require notification to be provided to credit reporting agencies.

If passed, the South Dakota Attorney General would be authorized to bring an action against the breached entity over the failure to comply with the law. The maximum civil penalty would be $10,000 per day, per violation. Attorney’s fees and other costs associated with the action would also be recoverable.

The South Dakota breach notification law would apply to all entities doing business in the state of South Dakota, although entities in compliance with federal laws that have breach reporting requirements would be deemed to be in compliance with the requirements of the proposed law.

The post Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill appeared first on HIPAA Journal.

Colorado Considers New Privacy and Data Breach Legislation

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws.

The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII:

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”

Any entity that wishes to disclose PII to a third party must communicate to that entity that the PII must be protected and secured at all times, including the use of technology, procedures and practices. They must be appropriate to the sensitivity of the data and be reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

If PII is no longer required, the information must be securely and permanently destroyed, whether the information is in paper form or stored on electronic devices. Policies covering the destruction of data are required in writing.

For paper records, this would likely mean burning, pulping, pulverizing, or shredding. For electric devices, data would need to be securely erased to prevent reconstruction. Typical methods include degaussing – the exposure of the device to strong magnetic fields, the use of software to overwrite media to prevent reconstruction of data, or destroying the media by pulverization, disintegration, melting, shredding, or incineration.

In the event of a breach of PII, the maximum time limit for issuing notifications would be 45 days from the discovery of a breach. Currently there is no stipulated maximum time frame for issuing notifications. Notifications must currently be issued “in the most expedient time and without unreasonable delay.”

A notification would also need to be sent to the state attorney general no later than 7 days following the discovery of a breach that impacts 500 or more individuals.

As is the case in California and several other states, the legislation stipulates the content that must be included in the breach notification letters.  The date of the breach must be communicated, or a reasonable estimate if it is not known, a description of the PII that has been compromised, contact information, a toll-free number to call for further information, contact details of consumer reporting agencies and the FTC, and information on how credit freezes and security alerts can be set.

The legislation would also authorize the Colorado Attorney General to initiate criminal investigations and legal proceedings against organizations that fail to comply with the legislation

The post Colorado Considers New Privacy and Data Breach Legislation appeared first on HIPAA Journal.