On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.
Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers.
Continue Reading FTC Proposes Settlement with Blackbaud in Connection with Alleged Security Failures

On December 14, 2023, the Court of Justice of the European Union issued its judgment in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), in which it clarified the concept of non-material damage under Article 82 of the GDPR and the rules governing burden of proof in the GDPR.
Continue Reading CJEU Rules That Fear May Constitute Damage Under the GDPR

On November 23, 2023, the UK government’s National Cyber Security Centre and the Republic of Korea’s National Intelligence Service issued a joint advisory detailing techniques and tactics used by cyber actors linked to the Democratic People’s Republic of Korea that are carrying out software supply chain attacks.
Continue Reading UK and Republic of Korea Issue Warning about DPRK State-Linked Cyber Actors

On October 31, 2023, the Department of Health and Human Services announced the issuance of a settlement agreement with Doctors’ Management Services, a Massachusetts-based medical management company, related to alleged violations of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules.
Continue Reading HHS Announces First HIPAA Settlement Agreement Involving Ransomware Attack

On February 16, 2023, the National Credit Union Administration Board unanimously approved a final rule requiring federally insured credit unions to notify the NCUA as soon as possible, within 72 hours, after the FCIU “reasonably believes” that a reportable cyber incident has occurred.
Continue Reading NCUA Board Approves Cyber Incident Reporting Requirement for Credit Unions