On May 3, 2022, the European Commission published a proposed regulation (the “EHDS Proposal”) for the establishment of a European Health Data Space (or “EHDS”). This is the first proposal for establishing domain-specific common European data spaces following the European strategy for data and an important step in building a European “Health Union”.

In short, the

Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.Continue Reading December 2016 Monthly Update

Please join Crowell & Moring’s Jodi Daniel and Elliot Golding on January 31, 2017 for an ABA webinar called Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More

This in-person panel discussion (with simultaneous webinar broadcast) will provide perspectives from the HHS Office for Civil Rights (OCR), the former director of the HHS Office of

Illinois State Court Issues First Settlement under Biometric Law

On December 1, 2016, the Cook County Circuit Court in Illinois approved what is being reported as the first settlement under the state’s Biometric Information Privacy Act, 740 ILCS 14/1 (BIPA or the Act).  BIPA provides a private right of action against companies that fail to

Hamburg DPA orders WhatsApp to stop sharing data with Facebook; GAO: HHS Needs to Improve is Digital Health Protection Rules; Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

German Data Protection Authority of Hamburg orders WhatsApp to stop sharing data with Facebook

On September 27, 2016, the Hamburg Commissioner for

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,

‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization

Privacy Shield’ certifications possible since August 1, 2016

On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.

The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.

Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 31

Last month, the Office of the National Coordinator for Health Information Technology (“ONC”) sent a report to Congress highlighting the absence of adequate privacy and security safeguards for health data collected by entities not regulated by HIPAA.  For a discussion regarding the next steps to address these privacy and security gaps, please see our recent