Get Permission
A coalition of 41 state attorneys general has reached a settlement with American Medical Collection Agency in the wake of a 2018 data breach that compromised the personal and health data of 21 million individuals and pushed the company to file for bankruptcy.
Under the settlement, Elmsford, New York-based AMCA has agreed to implement data security practices, including developing and implementing an incident response plan, employing a CISO, and hiring a third-party assessor to perform an information security assessment.
As part of the agreement, AMCA may also be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement. Because of AMCA’s financial condition, however, the payment will be suspended if no violation occurs, the NY attorney general s statement notes.
Get Permission
In a ruling that could have a profound impact on HIPAA enforcement, a U.S. Court of Appeals has vacated a $4.3 million HIPAA civil monetary penalty levied by federal regulators against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices. The court called the penalty “arbitrary, capricious and contrary to law.”
In its ruling, the 5th Circuit U.S. Court of Appeals in Louisiana was critical of the Department of Health and Human Services Office for Civil Rights’ interpretation of HIPAA requirements and how it sets civil monetary penalties.
Get Permission
A Florida-based company that provides support services to hundreds of dental practices in 20 states says it’s been hacked, exposing information – including payment card numbers - on more than 1 million patients.
If details are confirmed by federal regulators, the incident would be one of the largest health data breaches reported so far this year.
On Oct. 11, Sarasota, Florida-based Dental Care Alliance discovered the hacking incident, according to a breach notification report submitted recently to Maine’s attorney general’s office.
The company’s breach notification indicates information “acquired” by hackers in the incident includes “individuals’ name or other personal identifier in combination with financial account number, or credit/debit card number in combination with security code, access code, password or PIN for the account.”