As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Governmental Organizations Across the Globe Warn of Enhanced Cyber Threat Environment Related to COVID-19
In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.
Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance). The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.
The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws. Given Governor Cuomo’s previous support for robust cybersecurity protection, New York may soon join a growing number of states beefing up their notification statutes.
In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies.
Late last week, the Office of Civil Rights for the Department of Health and Human Services (OCR) announced a $16 million settlement with health-insurance company Anthem, Inc. The settlement amount is nearly three times larger than any prior settlement with the OCR.
The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices.
On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.
Healthcare organizations take note: not following your own data security rules can be costly, very costly. And the more time it takes to comply, the faster the fines stack up.
It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.
Cyber Briefing: Second "Envelope" Lawsuit Against Aetna, Yahoo to Answer for 1.5 Billion Hacked Accounts and Eighth Circuit Weighs In, Again, on Standing
As we head into the new week, here’s a quick summary of major data security developments from around the country.
In the aftermath of two powerful global ransomware attacks, a Michigan-based medical equipment provider has disclosed that hackers “encrypted our data files” and accessed more than 500,000 patient records in what is believed to be the largest reported ransomware attack on health care information.
Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations. Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked. Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website. All of this was without El Camino’s permission.
The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.
The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.
The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday. In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.
Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians. The breach has been reported as the largest for a hospital in 2016.
Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records. Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.
Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements
From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement action. In what may be a sign of things to come, the Department of Health and Human Services (DHHS) is scrutinizing both “covered entities” and “business associates” under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.
The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.
A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.
Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.
Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.
After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.
Yet another regulator has weighed in on cybersecurity issues, adding to an already complicated and daunting mosaic of regulatory enforcement actions and guidance. Last week, the U.S. Food and Drug Administration (“FDA”) posted new draft guidance concerning the postmarket management of cyber risks associated with medical devices that are connected to networks. The new draft guidance comes almost a year after President Obama issued Executive Order 13636, which directs public and private actors to work together to share information about cybersecurity.
The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.
At a panel during last week’s Consumer Electronics Show in Las Vegas, Edith Ramirez, chair of the Federal Trade Commission – America’s top privacy regulator – said she would not wear a Fitbit personal fitness tracker. “I don’t want my sensitive health information being shared,” she explained. And as it happens, Fitbit suffered a hack the same week. Meanwhile, U.S. healthcare regulators have recently been promoting policies that promise to aggregate and render more accessible the health data of millions – whether that data comes from consumers using personal health devices like Fitbit or patient visits to doctors or hospitals.
The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning
Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when. And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.
The legal wrangling between the Federal Trade Commission and LabMD, Inc. over data security continues.
On December 22, 2015, the FTC filed its appeal brief challenging Chief Administrative Law Judge (“ALJ”) D. Michael Chappell’s November 13, 2015 decision (the “Initial Decision”) dismissing the FTC’s complaint against LabMD, a now-defunct clinical testing laboratory alleged to have compromised the personal information of its customers. The appeal, which will be presented to the full Commission, was expected, as the FTC previously filed a Notice of Appeal shortly before Thanksgiving.
Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers. In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015). The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches. Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim.
In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday. In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.
Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses. The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.
With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.
In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.
In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards. After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.” The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices. On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.
This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act. Since 2005, the FTC has settled 53 cases against companies related to data security. Wyndham is one of two companies to challenge the FTC’s authority in this area. The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.