We read online this morning that some of the 3,500 patents affected by the Center for Facial Restoration breach have been contacted by the criminals responsible, who have demanded payment and have threatened to exploit or sell off the compromised information. This is certainly awful news for the people who should have been able to trust that their Covered Entity (CE) was adequately protecting their ePHI. The doctor involved has asked the FBI for assistance and hopefully these criminals will be caught and prosecuted to the maximum extent allowed by law. To be clear, the patients are now being extorted.
The "as important" point of this post is that civil lawsuits brought against breached CE and their Business Associates (BA) normally rely on the plaintiffs to demonstrate harm or potential harm. This new activity removes all doubt whether the threshold is met from our perspective, although we aren't a lawyer group.
We continue to see companies continue to delay or self-administer their HIPAA Security implementation. While we applaud the latter, it's our consistent (and unfortunate) experience that almost no one gets HIPAA Privacy or Security correct on their own without some help. We implore all CE or BA send their HIPAA Officer(s) to dedicated offsite training and/or work with a great consultant at least one iteration of a risk analysis and through policy and procedure development - at the minimum - and do so again if the HIPAA Security or Privacy officer has been turned over to someone new.
Stay (HIPAA) safe,