Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

SANS: The 6 Categories of Critical Log Information

To the network admins out there: Here’s a document from the esteemed Dr. Anton Chuvakin that is definitely worth looking at.

The document linked in the article can be used to figure out what to log, what to report on and what reports to review for various purposes. At its center are these top log report categories:

  • 1. Authentication and Authorization Reports
  • 2. Systems and Data Change Reports
  • 3. Network Activity Reports
  • 4. Resource Access Reports
  • 5. Malware Activity Reports
  • 6. Failure and Critical Error Reports
  • Link.


Doctor Sued for Posting Pictures of Drunk Model on Facebook

The reprehensible behavior displayed by this doctor violates basic human decency, and likely won’t be corrected by HIPAA laws or an employee training program.

A former Northwestern University student claims that after she was admitted to an Illinois hospital for extreme intoxication, a doctor there took photos of her and posted them to social media sites with commentary about her condition.
. . .
Approximately 15 minutes after she had regained consciousness, Puppala, who was on duty at the time and knew Chernyakova through a mutual friend, visited her hospital room, according to the complaint.

He allegedly asked to view her medical records, and returned several hours later to take photographs of her "while she was on the hospital bed, crying and attached to an IV," according to the complaint. He then posted these photographs on Instagram and Facebook, accompanied by "attached statements of commentary" about Chernyakova's condition, according to the complaint.

Puppala refused to delete the photographs when he was asked to do so by hospital security, according to the complaint.



A Sampling of HIPAA Fines and How They Could Have Been Avoided

Yesterday I posted a terrific article from Krystyna Monticello of Legal Health Information Exchange that discussed Affinity Health’s $1.2M settlement after improperly disposing of photocopiers that contained PHI.

At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.

  • How These Breaches and Fines Could Have Been Avoided:
  • (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)

  • (2) Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)

  • (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)

  • (4) Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)

  • (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)

  • (6) Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)

  • (7) COOPERATE with OCR!
    • Cignet Maryland ($4.3 million)


Copiers result in $1.2 million settlement and CAP for Affinity Health

More from the Legal Health Information Exchange:

Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity.  Originally estimated at over 400,000 affected individuals, as reported by DataBreaches.net., OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach. 

CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.

The settlement includes a Corrective Action Plan (CAP) stating that Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein,
within five days.

Ouch. Read the full article here.


Document Disposal Company Responsible for old Patient Records found in Park

From the Legal Health Information Exchange:

Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information.  Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach.

Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the
Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.

Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.


Survey Reports High Percentage of Employee Misuse and Theft of Company Data

Littler Mendelson P.C. reminds us that data protection isn’t just about addressing external threats:

A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions. 

Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”



HIPAA Omnibus Rule Released

It’s been a long wait but the HIPAA Omnibus Rule has arrived and it is big, weighing in at over 500 pages.

Mintz Levin has created a
handy reference chart detailing the changes from the 2009 update, or you can download the entire rule here. Business Associates (and your subcontractors), take note.


U.K. fines Sony $400,000 for 2011 breach

I talked a bit about Sony’s breach here a couple of years ago. The company is still dealing with the repercussions, and the statement was rather damning.

"If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough," David Smith, deputy information commissioner and director of data protection, said in a statement announcing the fine.