At a glance.
- US hospital system reports breach of two websites.
- FTC to revise the Health Breach Notification Rule.
- Retired Vermont teachers exposed in Fortra data breach.
US hospital system reports breach of two websites.
Ascension Seton, an hospital system located in the US state of Texas, has disclosed it suffered a breach of two legacy websites in March, KUT Radio reports. While Ascension is still working with Vertex, the third-party vendor that manages the sites, to determine the scope of the breach, it appears that information patients entered on the Seton.net and DellChildrens.net websites might have been exposed. This potentially includes names, street addresses, Social Security numbers, credit card details, and insurance info. However, the hospital says it believes none of this data were exfiltrated, and that medical records were not compromised. The impacted websites have been shut down and replaced by new sites hosted by Ascension.
FTC to revise the Health Breach Notification Rule.
The Federal Trade Commision (FTC) last month announced a Notice of Proposed Rulemaking and Request for Comment on changes being made to the Health Breach Notification Rule (HBNR). First established in 2010, the HBNR requires vendors of personal health records not covered by HIPAA to disclose breaches of personally identifiable health data. With the developments in health-centric apps and other tech in the years since HBNR’s creation, the FTC is looking to clarify the scope of the rule, making it clear that apps and other connected devices must comply with HBNR. As Ropes & Gray explains, the rule changes were motivated by a complaint filed by the Department of Justice on behalf of the FTC against Easy Healthcare Corporation, a non-HIPAA-regulated entity, for unauthorized data sharing. The changes include the expansion of the definition of a security breach to include sending identifiable health data to third parties, clarifying that apps that can collect health information qualify as “personal health records,” and requiring the electronic notification of individuals in the case of a data breach. The public has sixty days to submit comments on the proposed changes.
Retired Vermont teachers exposed in Fortra data breach.
Government officials in the US state of Vermont announced Wednesday that the personal data of over seven thousand retired Vermont teachers were compromised in January as a result of the Fortra LLC data breach. As VTDigger explains, Fortra provided the file transfer software that Vermont Blue Advantage used to exchange files with benefits administrator NationsBenefits, and all of the impacted individuals were members of the Vermont State Teachers’ Retirement System who had supplemental health benefits provided by the Vermont Blue Advantage. According to Deputy State Treasurer Gavin Boyles, the stolen data include names, dates of birth, street addresses, and medical and insurance information, but fortunately Social Security numbers were not exposed. “NationsBenefits reported the matter to law enforcement, and the investigation is ongoing,” Boyles stated. NationsBenefits has stopped using Fortra’s software and is updating its security procedures to prevent further exposure.