Photocopier Hard Drives Cause Breach Yielding $1.2 Million HIPAA Settlement

On August 14, 2013, the Office of Civil Rights for the U.S. Department of Health and Human Services ("HHS OCR") announced a $1.2 million settlement with Affinity Health Plan for violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). According to the HHS OCR press release, the violation arose when Affinity disposed of photocopiers with built-in hard drives which still contained images of patient records that had been photocopied on the devices:

Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. Affinity indicated that it was informed by a representative of CBS Evening News that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Afinity estimated that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

The Affinity resolution agreement may be downloaded here.

Beyond the substantial size and number of individuals' records involved in this case, it is notable that the breach in question was from a device not typically thought of as prone to privacy problems: a photocopier with an internal hard drive. Most users don't consider the built-in storage in printers and photocopiers, but these devices can and do retain previously printed and scanned information. The FTC and NIST offer useful information for organizations on improving security and privacy of digital printers and copiers.

Path Pays $800,000 to FTC for Alleged Privacy Violations

On the same day that the FTC released its new report on mobile privacy, the Commission also announced its latest online mobile privacy enforcement action, an $800,000 settlement with the operator of the Path social networking app. According to the FTC's news release:

Path operates a social networking service that allows users to keep journals about “moments” in their life and to share that journal with a network of up to 150 friends.  Through the Path app, users can upload, store, and share photos, written “thoughts,” the user’s location, and the names of songs to which the user is listening.

In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.  In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks.  The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.”  However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option.  For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information.  In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

The agency also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent.  Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs to which the child was listening.  Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available....

The case documents may be found here.

The FTC has been actively enforcing violations of children's privacy for more than ten years, and is explicitly increasing its enforcement activities in mobile privacy and data security. (The FTC recently announced changes to its COPPA rule, but those have not yet gone into affect; the Path enforcement arises out of the current rule.) This latest action is consistent with the Commission's ongoing efforts to both encourage proper practices with regard to consumers' personal information, and punish those firms that fail to appropriately respect privacy and data security.

The Other Google Search: 8438 Data Requests by U.S. Gov't

Google has released the latest version of its Transparency Report, covering the period from July 1 through December 31, 2012. In the report, Google states that the U.S. government made 8,438 requests of user data from Google during the period, covering a reported 14,791 users/accounts, and that Google responded fully or partially to an aggregate of 88% of those requests, broken down as follows:

July to December 2012	Records Requested	Users/Accounts	Percentage Fully/Partially Complied With
Search Warrant	1,896	3,152	88%
Subpoena	5,784	10,390	88%
Other	758	1,249	90%

The number of of these requests, particularly from the U.S. government, has been steadily increasing over the past few years; the U.S. government made only 3,580 total requests in the same period in 2009. Google states in the introduction to its report, "We review each request to make sure that it complies with both the spirit and the letter of the law, and we may refuse to produce information or try to narrow the request in some cases." It also attributes some of the increase to its own growth: "Usage of our services have increased every year, and so have the user data request numbers."

While Google is to be commended for its efforts to disclose (some of) the requests for information it receives, the report and the increases it shows serve as a reminder of the size, scope and value of Google's collection of data about its users. Given how many products Google owns, many of which may not bear obvious Google branding (such as the Zagat Restaurant Guide) but may still be feeding user data into Google's central servers (Zagat's privacy policy is the Google shared one, as is that of its fellow non-obvious Google acquisition, the Frommer's Travel Guides site), one may legitimately question whether all users are able to provide truly informed consent to Google's data collection, which is increasingly a governmental resource as well.

FTC Announces Significant Update of COPPA Rule

After a number of rounds of public comment and workshops, the FTC has released its revised regulations under the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The new regulations, to take effect on July 1, 2013, take into account changes in both technology and business since the original statute and regulations were enacted. According to the FTC’s release, the revised COPPA regulations:

• modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
• offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
• close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
• extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
• extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
• strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
• require that covered website operators adopt reasonable procedures for data retention and deletion; and
• strengthen the FTC’s oversight of self-regulatory safe harbor programs.

In his public statement describing the new Rule, FTC Chairman Jon Leibowitz described the FTC’s intentions with its revisions:

Just like you, we want a Rule that will protect innovation, and we think we have crafted one. Just like you, we want a Rule that will foster safe and vibrant spaces for children that are beneficial for learning and growth without creating a sanitized version of the Internet for older kids and adults, and we think we have struck that balance. Just like you, we want a Rule that will support diverse and free services online, and we think we are offering one today.

And, let’s be clear about one thing: under this Rule, advertisers and even ad networks can continue to advertise, even on sites directed to children. Business models that depend on advertising will continue to thrive. The only limit we place is on behavioral advertising, and in this regard our Rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.

The FTC has prepared a list of “Five Need-to-Know Changes” to the COPPA Rule for businesses, available here. The full text of the new Rule, to be published in the Federal Register, may be downloaded from this link. Finally, for some historical perspective, the following (courtesy of C-SPAN) is the original floor speech by Senator Richard Bryan of Nevada introducing COPPA on July 17, 1998:
 

Children's Privacy: CDD files FTC Complaint Against Nickelodeon Spongebob App

In the latest legal development in the increasingly active world of children's privacy law, the Center for Digital Democracy announced that it had filed a complaint with the Federal Trade Commission against the cable network Nickelodeon and software developer PlayFirst over the SpongeBob Diner Dash game for iOS. According to the CDD's release, the description for the game in Apple's iTunes store inaccurately states that the app complies with the Children's Online Privacy Protection Act ("COPPA"):

As the complaint documents, Nickelodeon and PlayFirst engage in deceptive acts by representing in the privacy disclosure on the Apple App Store that the app’s “data collection is in accordance with applicable law, such as COPPA,” when in fact it is not. The SpongeBob Diner Dash game asks children to provide a wide range of personal information, including full name, email address, and other online contact information, without providing notice to parents or obtaining prior parental consent, as required by the Children’s Online Privacy Protection Act. Nor does the app provide an adequate description of the personal information it collects or how it is used.  

The FTC has not yet responded to CDD's request to investigate Nickelodeon and PlayFirst. CDD's complaint may be read here.

In a related matter, the FTC will reportedly release its update to the COPPA rules this week. These rules, which have been the subject of significant public discussion and comment, are the key regulatory requirements for those companies which collect personal information from children under the age of 13.

Australian Federal Police Shut Down Romanian Cybercrime Ring

The Australian Federal Police announced on November 29th that it had charged seven people in Romania for "the largest credit card data theft in Australia's history." According to the release, the investigation began in June 2011 based upon a referral from an Australian financial institution, and ultimately involved "numerous international law enforcement partners" including Romanian authorities.

The scope of the data theft is substantial: more than 500,000 credit cards were potentially accessible, with approximately 30,000 being used for "fraudulent transactions amounting to more than $30 million" Australian dollars. The cost of the fraud was apparently not borne by Australian consumers; instead, as in the United States, the issuing banks reimbursed the cardholders for the fraudulent transactions, which were performed throughout the world, including in Europe and the United States.

The case highlights the borderless nature of the Internet and the resulting challenges for law enforcement officials, as well as the significant financial exposure by companies and consumers for international (and local) data breaches and theft.

(Via @mukimu on ZDNet)

HIPAA De-Identification Guidance from HHS OCR

The Office of Civil Rights ("OCR") of the U.S. Department of Health and Human Services recently issued guidance for appropriate ways to de-identify (remove personally identifiable information from) electronically stored health records. De-identification is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule in order to permit scientific analyses and other publicly beneficial uses of health records without violating the privacy of the patients whose health information is being shared for analysis. Section 164.514(b) of the HIPAA privacy rule provides two methods for de-identification: Expert Determination and the so-called "Safe Harbor."

It can be challenging, though, to completely de-identify any health information, since those with other sources of information may be able to combine those databases with the de-identified data to "re-identify" individual patients. (In a non-health context, this was demonstrated in 2006 after AOL released a supposedly anonymized search query database of its users, and reporters were able to positively identify at least one user by her particular searches.) With its latest guidance (which can be downloaded here), OCR answers questions about the use and limitations of its approved de-identification methods.

(via IAPP)