The “P” in HIPAA doesn’t stand for privacy. It’s one of the first things a lot of experts will say when asked to clear up any misconceptions about the health data law. Instead, it stands for portability — it’s called the Health Insurance Portability and Accountability Act —and describes how information can be transferred between providers. With misinterpretations of HIPAA starting with just its name, misunderstandings of what the law actually does greatly impact our ability to recognize how the kinds of data do and don't fall under its scope. That’s especially true as a growing number of consumer tech devices and services gather troves of information related to our health.
We often consider HIPAA a piece of consumer data privacy legislation because it did direct the Department of Health and Human Services to come up with certain security provisions, like breach notification regulations and a health privacy rule for protecting individually identifiable information. But when HIPAA went into effect in the 1990s, its primary aim was improving how providers worked with insurance companies. Put simply, “people think HIPAA covers more than it actually does,” said Daniel Solove, professor at George Washington University and CEO of privacy training firm TeachPrivacy.
HIPAA has two big restrictions in scope: a limited set of covered entities, and limited set of covered data, according to Cobun Zweifel-Keegan, DC managing director of the International Association of Privacy Professionals. Covered entities include healthcare providers like doctors and health plans like health insurance companies. The covered data refers to medical records and other individually identifiable health information used by those covered entities. Under HIPAA, your general practitioner can't sell data related to your vaccination status to an ad firm, but a fitness app (which wouldn't be a covered entity) that tracks your steps and heart rate (which aren't considered covered data) absolutely can.
“What HIPAA covers, is information that relates to health care or payment for health care, and sort of any piece of identifiable information that’s in that file,” Solove said. It doesn’t cover any health information shared with your employer or school, like if you turn in a sick note, but it does protect your doctor from sharing more details about your diagnosis if they call to verify.
A lot has changed in the nearly 30 years since HIPAA went into effect, though. The legislators behind HIPAA didn’t anticipate how much data we would be sharing about ourselves today, much of which can be considered personally identifiable. So, that information doesn’t fall under its scope. “When HIPAA was designed, nobody really anticipated what the world was going to look like,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation said. It’s not badly designed, HIPAA just can’t keep up with the state we’re in today. “You're sharing data all the time with other people who are not doctors or who are not the insurance company,” said Tien.
Think of all the data collected about us on the daily that could provide insight into our health. Noom tracks your diet. Peloton knows your activity levels. Calm sees you when you’re sleeping. Medisafe knows your pill schedule. Betterhelp knows what mental health conditions you might have, and less than a year ago was banned by the FTC from disclosing that information to advertisers. The list goes on, and much of it can be used to sell dietary supplements or sleep aids or whatever else. “Health data could be almost limitless,” so if HIPAA didn’t have a limited scope of covered entities, the law would be limitless, too, Solove said.
Not to mention the amount of inferences that firms can make about our health based on other data. An infamous 2012 New York Times investigation detailed how just by someone’s online searches and purchases, Target can figure out that they’re pregnant. HIPAA may not protect your medical information from being viewed by law enforcement officers. Even without a warrant, cops can get your records just by saying that you’re a suspect (or victim) of a crime. Police have used pharmacies to gather medical data about suspects, but other types of data like location information can provide sensitive details, too. For example, it can show that you went to a specific clinic to receive care. Because of these inferences, laws like HIPAA won’t necessarily stop law enforcement from prosecuting someone based on their healthcare decision.
Today, state-specific laws crop up across the US to help target some of the health data privacy gaps that HIPAA doesn’t cover. This means going beyond just medical files and healthcare providers to encompass more of people’s health data footprint. It varies between states, like in California which provides options to charge anyone who negligently discloses medical information or some additional breach protections for consumers based in Pennsylvania, but Washington state recently passed a law specifically targeting HIPAA’s gaps.
Washington State’s My Health My Data Act, passed last year, aims to “protect personal health data that falls outside the ambit of the Health Insurance Portability and Accountability Act,” according to a press release from Washington’s Office of the Attorney General. Any entity that conducts business in the state of Washington and deals with personal information that identifies a consumer’s past, present or future physical or mental health status must comply with the act’s privacy protections. Those provisions include the right not to have your health data sold without your permission and having health data deleted via written request. Under this law, unlike HIPAA, an app tracking someone’s drug dosage and schedule or the inferences made by Target about pregnancy would be covered.
My Health My Data is still rolling out, so we’ll have to wait and see how the law impacts national health data privacy protections. Still, it’s already sparking copycat laws in states like Vermont.
This article originally appeared on Engadget at https://www.engadget.com/hipaa-protects-health-data-privacy-but-not-in-the-ways-most-people-think-184026402.html?src=rss Key systems in Fulton County, Georgia have been offline since last week when a 'cyber incident' hit government systems. While the county has tried its best to continue operations as normal, phone lines, court systems, property records and more all went down. The county has not yet confirmed details of the cyber incident, such as what group could be behind it or motivations for the attack. As of Tuesday, there did not appear to be a data breach, according to Fulton County Board of Commissioners Chairman Robb Pitts.
Fulton County made headlines in August as the place where prosecutors chose to bring election interference charges against former president Donald Trump. But don't worry, officials assured the public that the case had not been impacted by the attack. “All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” said Fulton County District Attorney Fani Willis.
Despite this, Fulton County election systems did not appear to be the target of the attack. While Fulton County's Department of Registration and Elections went down, “there is no indication that this event is related to the election process,” Fulton County said in a statement. “In an abundance of caution, Fulton County and the (Georgia) Secretary of State’s respective technology systems were isolated from one another as part of the response efforts.”
So far, the impact of the attack ranges widely from delays getting marriage certificates to disrupted court hearings. On Wednesday, a miscommunication during the outage even let a murder suspect out of custody. A manhunt continues after officials mistakenly released the suspect while being transferred between Clayton County and Fulton County for a hearing.
The county has not released information on when it expects systems to be fully restored, but it is working with law enforcement on recovery efforts. In the meantime, while constituents have trouble reaching certain government services, Fulton County put out a list of contact information for impacted departments. Fulton County also released a full list of impacted systems.
While the government IT outages occurred, a local student also hacked into Fulton County Schools systems, according to StateScoop on Friday. The school system is still determining if any personal information may have been breached, but most services came back online by Monday.
This article originally appeared on Engadget at https://www.engadget.com/fallout-from-the-fulton-county-cyberattack-continues-key-systems-still-down-161505036.html?src=rss Key systems in Fulton County, Georgia have been offline since last week when a 'cyber incident' hit government systems. While the county has tried its best to continue operations as normal, phone lines, court systems, property records and more all went down. The county has not yet confirmed details of the cyber incident, such as what group could be behind it or motivations for the attack. As of Tuesday, there did not appear to be a data breach, according to Fulton County Board of Commissioners Chairman Robb Pitts.
Fulton County made headlines in August as the place where prosecutors chose to bring election interference charges against former president Donald Trump. But don't worry, officials assured the public that the case had not been impacted by the attack. “All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” said Fulton County District Attorney Fani Willis.
Despite this, Fulton County election systems did not appear to be the target of the attack. While Fulton County's Department of Registration and Elections went down, “there is no indication that this event is related to the election process,” Fulton County said in a statement. “In an abundance of caution, Fulton County and the (Georgia) Secretary of State’s respective technology systems were isolated from one another as part of the response efforts.”
So far, the impact of the attack ranges widely from delays getting marriage certificates to disrupted court hearings. On Wednesday, a miscommunication during the outage even let a murder suspect out of custody. A manhunt continues after officials mistakenly released the suspect while being transferred between Clayton County and Fulton County for a hearing.
The county has not released information on when it expects systems to be fully restored, but it is working with law enforcement on recovery efforts. In the meantime, while constituents have trouble reaching certain government services, Fulton County put out a list of contact information for impacted departments. Fulton County also released a full list of impacted systems.
While the government IT outages occurred, a local student also hacked into Fulton County Schools systems, according to StateScoop on Friday. The school system is still determining if any personal information may have been breached, but most services came back online by Monday.
This article originally appeared on Engadget at https://www.engadget.com/fallout-from-the-fulton-county-cyberattack-continues-key-systems-still-down-161505036.html?src=rss A cyberattack hit Carnegie Mellon University last summer and the attackers breached personal data, according to a disclosure from the school last week. The Pittsburgh-based university known for its top tech and computer science programs said on Friday that the attack impacted 7,300 students, employees, contractors and other affiliates.
"There is no evidence of fraud or inappropriate use of the information from those files," a statement from CMU said. Still, the attackers likely accessed and copied data that included names, social security numbers and birth dates. With help from law enforcement, CMU disabled any access to that copied data, according to the school.
It started on August 25 when unauthorized users accessed CMU's systems. The university says it began recovery processes and an investigation into the incident that included months later in December, while notifications to impacted parties began to go out last week. Impacted parties will receive credit monitoring services to mitigate further damage.
CMU did not respond to a request for comment and further information about the attack by the time of publication.
This article originally appeared on Engadget at https://www.engadget.com/carnegie-mellon-reveals-it-was-hit-by-a-cyberattack-over-the-summer-155618462.html?src=rss Major apparel supplier VF Corp followed up on its December cyberattack disclosure, with its latest Securities and Exchange Commission form admitting to a data breach impacting up to 35.5 million customers. That means if you've purchased from its major brands like Vans, North Face, Timberland, Dickies and more, you may have been impacted. But VF Corp still insists that the incident won't hurt its financial performance.
Initially, VF Corp warned customers that the cyberattack it experienced in December could have an impact on its holiday order fulfillment. The company said "unauthorized occurrences" on its IT systems caused operational disruptions, and the attackers likely stole personal information. Now, it's come out just how widespread the damage from the attack could be.
VF Corp did not respond to a request for comment clarifying what type of data the hackers stole. In the SEC filing, however, the company said it did not collect consumer social security numbers, bank account information or payment card information, and that there is no evidence the hackers stole passwords. It also said that the unauthorized users were "ejected" from its systems by December 15, after being discovered two days earlier.
"Since the filing of the Original Report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts," the latest filing states. VF still has not confirmed who was behind the attack.
This article originally appeared on Engadget at https://www.engadget.com/apparel-supplier-for-north-face-vans-admits-its-cyberattack-led-to-a-data-breach-of-35-million-customers-153411926.html?src=rss