HHS Imposes $2.1M Fine For Accidental Disclosure Of PHI On Search Engines

On October 18, the Department of Health and Human Services (HHS) announced a settlement with St. Joseph Health for alleged violations of HIPAA, which includes a $2.1 million fine and a three-year Corrective Action Plan. The allegations stem from St. Joseph’s report to HHS in February 2012 that its patients’ protected health information (PHI) had been available through online search engines for about a year. The settlement highlights the importance of conducting a full risk assessment of all systems, including when any technological, operational, or other changes are made to the handling and storage of PHI.

European Court Cements Regulation Of IP Addresses, But Limits Scope Of Regulation

In an October 19 judgment in Breyer v. Federal Republic of Germany, the European Court of Justice found that dynamic IP addresses usually constitute “personal data” under EU data protection law. But the court acknowledged that “legitimate interests” might justify the processing of IP addresses, including the prevention of cyberattacks.

NHTSA Releases Proposed Cybersecurity Guidance For Vehicles

On October 24, the National Highway Traffic Safety Administration (NHTSA), part of the Department of Transportation, released proposed non-binding guidance for the automotive industry to help improve the cybersecurity of vehicles. The guidance, entitled “Cybersecurity Best Practices for Modern Vehicles,” encourages the industry to prioritize vehicle cybersecurity by adopting its guidance as well as existing standards and best practices, and by establishing internal processes and strategies to ensure that systems are reasonably safe under real-world conditions. The proposed guidance will be open for public comment until November 28, 2016.