Friday Five: 12/14 Edition

by Chris Brook on Thursday May 30, 2019

A 111K HIPAA settlement, a new data privacy bill, and how to recover from a massive ransomware attack - catch up on the week's infosec news with this roundup!

1. Colorado hospital to pay $111K HIPAA settlement by Jessica Kim Cohen

We regularly highlight whenever a hospital settles a sizeable civil rights complaint over HIPAA violations in this space. It was only a few weeks ago a Connecticut practice paid $125,000 after it allegedly disclosed patient information to a report. This week a Colorado facility paid roughly the same amount, $111K, after reportedly failing to terminate an employee's access to protected health information. In this case a former employee continued to have remote access to Pagosa Springs Medical Center's web-based scheduling calendar, something that spilled PHI belonging to 557 patients to the ex-employee. As part of the settlement the hospital has to satisfy a handful of correction actions, including developing a process to limit disclosures of PHI to business associations to the minimum amount of PHI that's necessary to perform their job.

2. The Year Ahead: Push for privacy bill gains new momentum by Harper Neidig

Data privacy bills in this age are a dime a dozen, so much so that it's getting difficult to keep track of them all. The latest entrant, the Data Care Act, was introduced on Wednesday this week. If enacted the bill would require companies to “reasonably secure individual identifying data from unauthorized access" and impose civil penalties for failing to do so. The bill would also give strength to the Federal Trade Commission to impose rules over data collection and issue fines to offenders. If the particulars of the bill sound familiar, it's probably because they do. The Consumer Data Protection Act, proposed last month by Oregon Senator Ron Wyden, would also fine companies for failing to protect data and given more power to the FTC.

3. Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret by Jennifer Valentino-DeVries, Natasha Singer, Michael H. Keller and Aaron Krolik

We’d be remiss to not share this big feature from Monday's New York Times on how far reaching some apps are when it comes to tracking users' locations. The story looks at how 75 companies receive data from 200 million devices in the U.S., a market that's poised to make $21 billion this year. It's worth clicking through to view the whole package if you missed it; there's some fine UX work here. If you've been keeping track of news like this, it's not especially surprising but still, few outlets do this sort of story as well and as broadly as the Times. It's the latest in a series of stories by the paper this year about how pervasive technology tracking has become; in August it discussed how banks are tracking users via apps, in May it explored the shadowy world of stalkerware.

4. Google will shift control of European data from U.S. to Ireland to aid GDPR compliance by Chris O'Brien

Google is shifting where it conducts its data services operations in order to comply with Europe’s General Data Protection Regulation (GDPR) next year. By January 22 next year Google Ireland Limited will be the official service provider for European users, or at least those in what’s defined as the European Economic Area (EEA) and Switzerland. It's a subtle change but one that makes Google Ireland Limited the "data controller" for the information of these users. Anne Rooney, the company's Public Policy Manager for that headquarters, said the move would specifically ensure Google complies with the GDPR's "One stop shop" mechanism, a feature that ensures organizations that carry out cross-border personal data processing activities only has to deal with one supervisory authority.

5. Atlanta CIO Revisits Notorious Hack, Looks to the Future by Skip Descant

We occasionally include videos, in lieu of videos, here. Hat tip to Government Technology for pointing out this one, from the city of Atlanta’s Chief Information Officer on how the city has fared in the wake of a nasty ransomware attack - one that two Iranian were recently indicted over – that took down many of its digital processes and services. Two interesting bits from the video - the fact that Atlanta receives about 1,000 cyberattacks a day and that the city has moved a lot of IT and data operations to cloud-based platforms.