Fan Sites for Pop Stars Settle Children’s Privacy Charges
The operator of fan Web sites for pop stars Justin Bieber, Selena Gomez, Rihanna and Demi Lovato agreed to pay a $1 million civil penalty to settle federal charges that the
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law. Source: New York Times
sites had illegally collected personal information about thousands of children, the Federal Trade Commission said Wednesday.
Artist Arena, a company that operates fan web sites for pop stars like Justin Bieber and Selena Gomez, agreed to settle federal charges that the sites had violated a children's privacy protection law.
In a complaint, the Federal Trade Commission alleged that Artist Arena, the operator of the sites, had violated a children’s online privacy rule by collecting personal details — like the names, e-mail addresses, street addresses and cellphone numbers — of about 101,000 children aged 12 or younger without their parents’ permission.
The law, called the Children’s Online Privacy Protection Act, or COPPA for short, requires operators of Web sites to notify parents and obtain verifiable parental consent before collecting, using or disclosing personal information about children younger than 13.
Source: New York Times
Why passwords have never been weaker—and crackers have never been stronger
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.
The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.
"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
Read the full article here
Beth Israel suffers large data breach
Beth Israel Deaconess Medical Center (BIDMC) in Boston is in the process of notifying approximately 3,900 patients of a potential breach of protected health information (PHI) as a result of a physician's stolen personal laptop computer.
The computer was stolen from the office of a BIDMC physician on May 22. The computer, which contained a tracking device, has not been recovered nor has the tracking device been activated.
In addition to notifying law enforcement, which arrested a suspect in the theft, BIDMC engaged a national forensic firm to investigate whether data were compromised.
Source: CMIO
California Starts Up a Privacy Enforcement Unit
Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws.
“The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” California’s top attorney said in a statement.
The announcement of the unit, comprised of six attorneys, comes just months after Harris inked a February agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to demand that mobile apps on their platforms contain privacy policies. Facebook signed on last month.
Source: Wired Threat Level
OCR Director Leon Rodriguez Says Tolerance for HIPAA Non-Compliance Is Low
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.
In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.
Supreme Court Upholds the Individual Mandate
This morning, the Supreme Court issued its highly anticipated decision on the constitutionality of portions of the Affordable Care Act (Nat. Fed'n Indep. Business v. Sebelius, Florida v. Dept. of HHS; and Dept. of HHS v. Florida). The majority of the Court concluded the following on the key questions in the case --
1. The individual mandate is constitutional as an exercise of Congress' power under the Taxing Clause (although it could not be upheld based on the Commerce Clause and the Necessary and Proper Clause).
2. The expansion of Medicaid to additional populations is constitutional, but the federal government cannot withhold existing (non-expansion) Medicaid funds for non-compliance with the expansion requirements.
The majority opinion was authored by Justice Roberts. Justice Ginsburg authored a concurring opinion on behalf of herself, Justice Sotomayor and (in part) Justices Breyer and Kagan; the concurring Justices would have also upheld the individual mandate as an exercise of Congress' power under the Commerce Clause. A dissenting opinion was issued by Justices Scalia, Kennedy, Thomas, and Alito. Justice Thomas authored a separate dissent.
A copy of the opinions are attached, and additional analysis will be forthcoming as we review the opinions in the case. Also, please join us for an opportunity for more detailed discussion on the implications of the decision at our roundtable event on July 11, 2012. Details on the event and RSVP information can be found at http://www.dlapiper.com/health-care-at-the-crossroads-roundtable-discussion-07-11-2012/.
For additional information, please do not hesitate to contact Mary Langowski at 202.799.4362 or mary.langowski@dlapiper.com, or Piper Nieters Su at 202.799.4330 or piper.nieterssu@dlapiper.com.
Massachusetts Hospital Agrees to Pay $775,000 for Security Breach
By Amy Crafts
Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.
In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.
Full Story via Proskauer Privacy Blog
HIPAA and Emerging Technologies
Originally Authored by M. Scott Koller and Marcia L. Augsburger and published by the American Health Lawyers Association, HIPAA and Emerging Technologies, 14 HIT News 3, 6 (November 2011).
The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.
Read the full article here: HIPAA and Emerging Technologies Article
Two Privacy Bills on the Move in California
Two privacy-related bills are on the move in California. The California Genetic Information Privacy Act would prohibit 
the unauthorized collection, testing and distribution of DNA data. "We have laws to protect the privacy of our financial information, our medical records and even the books we check out from the local library," said the bill's author, State Sen. Alex Padilla (D-Pacoima), adding, "We need genetic privacy protections because nothing is more personal than our DNA." The bill passed the Senate Judiciary Committee on Tuesday, according to a GovTech report. Meanwhile, the California Location Privacy Bill passed the Senate Public Safety Committee earlier this week after a certain disclosure provision was removed.
Office To Release Mobile App Guidelines
The chief of California's Office of Privacy Protection says the office will soon release guidelines for mobile app 
developers on data collection, data sharing and written privacy policies, PCWorld reports. Chief Joanne McNabb, CIPP/G, CIPP/IT, CIPP/US, says the guidelines, likely to be released in July, will be developed with an advisory panel of experts and industry stakeholders. Though the office itself has no regulatory power, the guidelines will help companies comply with state laws, McNabb said, adding that the "practices and recommendations we come up with are not a floor of legal compliance nor are they a ceiling of ideal. I think of them as about chair-rail height. You want to push higher than developers are required to go."
