On September 17, 2020, technology company Glow, Inc. (“Glow”) settled with the California attorney general in response to a data breach on Glow’s fertility-tracking app. This app was created so that women could compile their personal medical information as it relates to cycle and ovulation tracking. Between the years of 2013 and 2016, this app was subject to numerous allegations regarding its security.
According to the California attorney general, the app failed to require authorization from any user who would share their information with another user. This led to data sharing without proper consent. It also did not require a user to enter its old password before creating a new one, so any user could be locked out of their own account by someone attempting to steal data. The California attorney general alleged that these, among other privacy issues, violated California’s consumer protection and privacy laws. The settlement will require Glow to pay $250,000 and increase the privacy and security on the app. The settlement also requires Glow to obtain affirmative consent from all users before sharing any personal medical information.
Although this state case focused on issues from 2013-2016, this settlement is very timely and accurately reflects issues currently facing healthcare providers. During the 2019 Novel Coronavirus (“COVID-19”) pandemic, the Office of Civil Rights (“OCR”) has decided to temporarily stop giving penalties for noncompliance with HIPAA. The purpose of this is so that providers can continue to care for their patients while maintaining social distance protocol and implement telehealth in place of in-person office visits.
The stark increase in telehealth since the pandemic began, however, has caused many data and security breaches of patients’ personal health information. As a result, five states and Washington D.C. have updated their data breach notification requirements since the pandemic began in February. Below is a list of the notable the changes in law:
- Indiana: Licensees must maintain an information security program and conduct regular risk assessments. Where the licensee is domiciled in Indiana, there must be a material harm to either a licensee or at least 250 Indiana residents before notifying the Indiana insurance commissioner of a breach or cybersecurity event.
- Louisiana: Licensees must maintain an information security program and conduct regular risk assessments. Where the licensee is domiciled in Louisiana, there must be a material harm to either a licensee or at least 250 Louisiana residents before notifying the Louisiana insurance commissioner of a breach or cybersecurity event.
- Vermont: The definition of “personally identifiable information” has been expanded to include more types of identifying information such as passport numbers, biometric data, genetic information, medical diagnosis, and Taxpayer Identification Numbers, among others. The definition of “security breach” was also amended to include the unauthorized login of credentials.
- Virginia: Licensees must maintain an information security program and conduct regular risk assessments. There must be a material harm to a licensee to report a cybersecurity event, but there only must be reasonable belief of harm to Virginia residents, a slightly lower degree of harm required than that of a licensee.
- Washington State: The definition of personal information now includes the last four digits of Social Security Numbers for residents. This now applies to all local or state agencies, the definition of which has also been expanded.
- Washington, D.C.: The definition of personal information has been expanded to include more types of identifying information such as passport numbers, biometric data, genetic information, medical information, and Taxpayer Identification Numbers, among others. Additionally, where a breach affects 50 or more residents of D.C., the attorney general must be notified. If a breach includes a Social Security Number, then the impacted entity must offer complimentary identify theft protection services for at least 18 months.
For over 35 years, Wachler & Associates has represented healthcare providers and suppliers nationwide in a variety of health law matters, and our attorneys can assist providers and suppliers in understanding new developments in privacy and security laws across the country. If you or your healthcare entity has any questions pertaining to healthcare compliance, please contact an experienced healthcare attorney at 248-544-0888 or wapc@wachler.com.