HIPAA Compliance for Medical Practices
82.7K views | +2 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Illinois joins other states that are not waiting for federal data breach legislation

Illinois joins other states that are not waiting for federal data breach legislation | HIPAA Compliance for Medical Practices | Scoop.it

Illinois is joining several other states in passing legislation that would dramatically increase the potential liability for marketers in the event of a data breach.  The Illinois Senate voted 35-13 to approve a bill (SB1833) drafted by the Illinois Attorney General that would add "consumer marketing information" to the definition of personal information under the state's data breach law. It would require notification if there is a breach of "information related to a consumer's online browsing history, online search history, or purchasing history."  Illinois Bill SB1833 now moves to the Illinois House of Representatives, where it will likely have substantial support.

At first blush this certainly sounds appealing considering all the data breaches that have occurred in recent times; however, for those that market products on the internet, the inconsistent laws across the country are truly a field of potential liability landmines.

Several industry groups, including the ANA (Association of National Advertisers) are working together to lobby for federal data breach legislation that would pre-empt the patchwork of 47 inconsistent state data breach laws that currently exist.  Only Alabama, New Mexico, and South Dakota currently do not have security breach laws on the books. The ANA calls the Illinois bill the "poster child" example of why federal legislation is necessary as state legislatures rush to curb media-infused consumer fears over data breaches that the ANA purports result in unreasonable laws with the potential for significant liability to companies.

Everyone certainly agrees that consumers should be notified if there is a breach of personal information that creates a risk of identity theft or some other financial harm to consumers. However, the state laws typically contain no clear specific trigger for breach notification. The vast preponderance of consumer marketing information does not present a risk of identity theft or financial harm to consumers.

This unprecedented expansion of the scope of the current data breach law could cost Illinois companies millions of dollars each year to protect non-sensitive information that poses no material risk of identity theft or financial harm to residents. In addition, consumers could eventually succumb to "notice fatigue" if they receive notices about breaches that involve no serious risk of harm to them.

No comment yet.

Illinois hospital blackmailed with release of patient data

Illinois hospital blackmailed with release of patient data | HIPAA Compliance for Medical Practices | Scoop.it

Clay County Hospital in Flora, Ill., has received an anonymous email blackmail threat threatening to release some patient data unless the email sender receives a "substantial payment from the hospital," according to a news release.

The hospital notified law enforcement, launched an investigation to determine the source and scope of the threat and notified all affected patients.

The compromised data pertains to patients who visited a Clay County Hospital clinic on or before February 2012 and includes patient names, addresses, Social Security numbers and birth dates. No medical information has been accessed, according to the release.

A CIO report indicates the hospital is not disclosing how many people are involved in the data breach, but it does not believe the data has been released so far.

The forensic investigation also determined that hospital servers have not been hacked and remain secure.

Clay County Hospital plans to implement extra internal security measures to prevent future incidences like this, including additional logging systems and auditing features to track and control data access.

No comment yet.

Data breaches focus of proposed Illinois law

Data breaches focus of proposed Illinois law | HIPAA Compliance for Medical Practices | Scoop.it

April 25--A bill that would strengthen the state's data breach notification law has passed the Senate by a vote of 35-13.

S.B. 1833, sponsored by state Sen. Dan Biss of Evanston, was quickly praised by Illinois Attorney General Lisa Madigan.

"The growing frequency and scope of data breaches has necessitated an overhaul of Illinois' notification law," Madigan said in a news release. "This measure will ensure that people receive timely information when a breach occurs so they can work to limit their exposure to identity theft."

Madigan drafted the bill to strengthen the state's Personal Information Protection Act. The original act was passed in 2005, at Madigan's behest. It made Illinois among the first states nationwide to require businesses and other entities that suffer a data breach to notify Illinois residents if the breached information included residents' drivers' license numbers, social security numbers, or financial account information.

Since then, the amount of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly.

"Between computers, phones and tablets, information is almost always at our fingertips. But the downside to that connectivity is that there are new ways for individuals to access personal information," Biss said in a news release.

The bill was endorsed by Citizen Action Illinois and the Heartland Alliance, among others. It would expand the type of information that triggers a breach notification to consumers, including medical information outside of federal privacy laws, biometric data, geological location information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts.

The bill would also require entities holding sensitive information to take reasonable steps to protect the information, to post a privacy policy describing their data collection practices, and to notify Madigan's office when breaches occur.

The Illinois Attorney General's office is creating a website that will list every data breach that affects Illinois residents in an effort to increase their awareness.

Edwardsville police reported Thursday that they have taken 129 such incident reports in 2015, compared to just 9 in 2014.

Edwardsville resident Joe Baird said Thursday that the joint income tax that he and his wife filed this year was rejected recently because someone had stolen his wife's social security number and used it to collect a refund. "We had to go in and sign affidavits and all kinds of paperwork and then send it back to the government," Baird said.

The return, he said, had been filed electronically. The refund would be relatively small, he said. Still, Baird says he's hoping to find out who got the original refund, and how much they received.

"In this day of computers, it seems like nobody's safe anymore."

With its passage this week, SB 1833 now goes to the House for consideration.

No comment yet.