Discovered on April 3 and limited to credit or debit card transactions between Sept. 3, 2014 and April 2, 2015 at the company's restaurant, bar and retail locations, including the Culinary Dropout Restaurant, the Hard Rock may have had names, credit card numbers and their CVV security codes stolen by malware. The company emphasizes the stolen data would not have included PIN numbers or other sensitive customer information.
[from the Office for Civil Rights (OCR) in the US Department of Health and Human Services]
Cornell Prescription Pharmacy (Cornell) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies in the area.
OCR opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation revealed Cornell's failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.
"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," said OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."
In addition to the $125,000 settlement amount, the agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training.
OCR offers helpful FAQs concerning HIPAA and the disposal of protected health information: http://www.hhs.gov/ocr/
If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page on filing complaints at http://www.hhs.gov/ocr/
Currently, the Data Security and Notification Act of 2015 seeks to codify a standard across the United States which would create uniformity in personal information security and breach notification. Unfortunately, what it does not provide is exception to current or future state laws which provide stronger safeguards.
Currently, thirty-four states (including the District of Columbia) have broader scopes for invoking notification to affected individuals.
For example in California, the viewing habits of Internet and pay-TV customers are protected and any breach of this meta-data requires notification to the individual whose data has been exposed.
The Data Security and Notification Act of 2015 only requires notification if the responsible custodian of the data (i.e. company whose database is breached) determines “a reasonable risk” of “ID theft” or “economic harm.” Medical records will be up for interpretation rather than guarded under the current California State Notification Breach regulation.
The bill limits enforcement authority almost exclusively to the Federal Trade Commission (FTC.) Additionally, it reduces the scope on what types of events and incidents require action by invoking “financial harm” potential as the driver.