Office of Civil Rights Issues Phishing Email Alert

On November 28, 2016, the Office of Civil Rights of the Department of Health and Human Services, the entity responsible for HIPAA administration, issued an alert about a potential “phishing” email scam. The email purports to come from OCR’s Director, Jocelyn Samuels, and targets employees of covered entities and business associates. The email appears legitimate and includes a link concerning the audit program. By clicking on the link, the user is redirected to a cybersecurity firm marketing website.

For those who may not be familiar with the term, “phishing” refers to an email that looks official or legitimate, but then redirects the person to an unaffiliated website. Common “phishing” emails mimic requests from credit card companies for personal information, auction sites for login information, and banks for updated privacy information. As always, if you have received an email that you did not expect and have questions about it, contact the alleged source directly to verify before opening.

Tennessee Modifies Breach Notification Statute

The Tennessee legislature recently amended that state’s data breach notification statute. Tennessee now requires information holders to disclose any security or data breach to Tennessee residents “immediately, but no later than fourteen (14) days from the discovery or notification of the breach.” There is an exception if more time is needed for a legitimate law enforcement reason.

Also, the Tennessee legislature changed the rule regarding disclosure of access to encrypted data as well as unencrypted data. Finally, the legislature broadened the definition of “unauthorized user” to include employees of the information holder.

The Governor signed the bill and the law becomes effective July 1, 2016.

FBI Issues Warning for Ransomware Malware

The Federal Bureau of Investigation is warning all businesses about the risks of “ransomware.” Ransomware is malware – a malicious program embedded inside of a message or web page. The message may come in the form of an innocuous message directed towards a specific person in the organization, such as a controller, accountant, or risk manager. The message typically includes an attachment, like document (.pdf), text file (.txt), or spreadsheet (.xls) that appears legitimate, such as a bill or a letter. Alternatively, the message may direct the user to a website that appears valid. When the user opens the attachment or goes to the website, the malicious program encrypts – that is, hides – files and folders containing the user’s information and data. The person or organization who sent the message then contacts the user and demands a ransom – money for the return of the information and data.

There has been an increase in the number of ransomware attacks. The FBI does not advocate paying a ransom for the return of data. The FBI has set up a Cyber Task Force to assist in the event of a ransomware attack ( The FBI recommends employee training, keeping all operating systems, software, and antivirus/malware protection systems up to date, and maintaining robust file access privileges across an organization.

If a health care provider, covered entity, or business associate is hit with a ransomware attack, there may be additional reporting requirements under HIPAA, depending on the circumstances. Remember, many insurance policies provide data breach services that include assistance with reporting and remediation.

Home Depot Settles Data Breach Claim

Home Depot settled a class action lawsuit based on a massive data breach involving private information of up to 56 million people who used the self-check kiosks at the company stores. According to published reports, Home Depot is paying $13 million in damages, including out of pocket expenses and substantiated losses up to $10,000 per claimant. In addition, Home Depot will pay qualified claimants up to $75 for time spent remedying any identity theft issues. Home Depot agreed to remediate with new security measures. Lastly, Home Depot agreed to pay the lawyers involved in the multi-district litigation nearly $8.5 million in legal fees and $300,000 in expenses. The settlement is unique in that it included compensation for time spent by the claimants to undo the damage.

Welcome to the Blog!

Welcome to the blog for the Data Privacy and Breach practice group of Copeland, Stair, Kingma & Lovell!  Our experienced attorneys handle data breach responses, coverage issues, and risk management consulting for companies of all sizes.

In our first installment of the blog, we are reporting on legal developments arising out of a massive data breach involving health insurer Anthem. Multiple lawsuits were filed alleging putative class action claims against Anthem.  The multi-district litigation was consolidated and transferred to the Northern District of California. On Sunday evening, Judge Lucy Koh entered an order dismissing several claims brought under various state and federal laws, including common-law negligence claims.  Notably, Judge Koh ruled that Indiana does not recognize a private right of action for negligence arising in a data breach situation.  In addition, Judge Koh conditionally dismissed a claim based on Georgia’s Insurance Information and Privacy Protection Act (O.C.G.A. §33-39-14) with leave to replead the claim.

The order is significant because it continues the trend of rejecting attempts to turn data breaches into damages claims. While data privacy and protection is a heavily regulated part of doing business, most claimants have not been able to develop theories of liability that enable them to collect tort damages in breach cases.

The case is In Re Anthem Inc. Data Breach Litigation, U.S. District Court, Northern District of  California, No. 5:15-MD-02617.