Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Continue Reading...Mastercard Changes to their PCI Compliance Rules
Under Mastercard's new rules concerning merchant level definitions, apparently companies that were previously level 4 merchants (and did not have to do a PCI assessment unless requested by their acquiring bank) have been converted to level 3 merchants (which do need to conduct at least a self assessment). More details here.
Mastercard announces fine regime for PCI non-compliance: details here from Branden Williams of Verisign: LINK.
Nevada's Security of Personal Information Law Post Five: Remedies, Penalties and Enforcement
The following FAQs address the remedies, penalties and enforcement of Nevada's Security of Personal Information Law. The rest of the FAQ is linked to here.
Continue Reading...Maine Privacy Law Applies Stringent Limits to Collection of Personal Information of Minors
A new Maine law gets serious about data collection and marketing to minors. The key portion of the law:
§ 9552. Unlawful collection and use of data from minors 1. Unlawful collection. It is unlawful for a person to knowingly collect or receive health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor's parent or legal guardian. 2. Unlawful use. A person may not sell, offer for sale or otherwise transfer to another person health-related information or personal information about a minor if that information: A. Was unlawfully collected pursuant to subsection 1; B. Individually identifies the minor; or C. Will be used in violation of section 9553. § 9553. Predatory marketing against minors prohibited A person may not use any health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product. Use of information in violation of this section constitutes predatory marketing.
The law provides for a private right of action with possible recoveries up to $750 per violation in damages, as well as civil penalties:
3. Civil violation; penalty. Notwithstanding the penalty provisions of Title 5, section 209, each violation of this chapter constitutes a civil violation for which a fine may be assessed of: A. No less than $10,000 and no more than $20,000 for a first violation; and B. No less than $20,000 for a 2nd or subsequent violation
The law takes effect on September 12, 2009.
