Privacy Foundation

Medical Patient Security

The Latest Privacy Risk? Looking Up Medical And Drug Information Online, 02/24/2015,
Neil Ungerleider reports: If you have cancer, HIV, diabetes, lupus, depression, heart disease—or you simply look up health-related information online—advertisers are watching you. A new paper on what happens when users search for health information online shows that some of our most sensitive internet searches aren’t as anonymous as we might think.

A new sheriff in town: Federal Trade Commission enforcement of medical information security=, 09/17/2014,
A recent court decision found that the Federal Trade Commission (FTC) has authority to enforce the requirements for security of Protected Health Information, or PHI, as defined under the Health Information Portability and Accountability Act (HIPAA), against a defense asserted that the FTC has no authority under that statute.

Fourth Annual Benchmark Study on Patient Privacy and Data Security, 3/22/2014,
Ponemon Institute: “…we are releasing our Fourth Annual Benchmark Study on Patient Privacy and Data Security. We hope you will read the report sponsored by ID Experts that reveals some fascinating trends. Specifically, criminal attacks on healthcare systems have risen a startling 100 percent since we first conducted the study in 2010. This year, we found the number and size of data breaches has declined somewhat. Employee negligence is a major risk and is being fueled by BYOD.”

Data Broker Removes Rape-Victims List After Journal Inquiry, 12/19/2013,
If you missed Senator Rockefeller’s hearing on data brokers yesterday, Pam Dixon of the World Privacy Forum made a powerful point in her opening statement about how data brokers have no shame. She cited the fact that brokers were selling lists of rape victims’ names for 7.9 cents per name.

NZ privacy commissioner finds that physician properly mitigated harm following a breach, 09/18/2013,
A doctor working in a suburban medical practice had his car broken into and bag stolen. The bag contained a USB stick holding the personal information of a number of patients, including the complainant.

PPR Releases Trust Framework© for Data Privacy, 04/03/2013,
Patient Privacy Rights (PPR) is pleased to announce the publication of its Privacy Trust Framework©, a set of 75+ auditable criteria based on 15 key privacy principles.

De-identifying protected health information: OCR issues long-awaited guidance=, 01/04/2013,
The HIPAA Privacy Rule is intended to protect individually identifiable health information by limiting its use and disclosure. But the Privacy Rule expressly permits the de-identification of that information, and in doing so recognizes the usefulness of that information for “secondary purposes” such as comparative effectiveness studies, policy assessment and life sciences research.

Data Breach Investigation | Due Process of Law, 11/30/2010,
The following is cross-posted from
In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part…

New Ponemon study: patient data inadequately protected, many hospitals do not notify patients of breaches, 11/09/2010,
The Ponemon Institute has released a new study sponsored by ID Experts, “Benchmark Study on Patient Privacy and Data Security.” The study examined hospitals’ patient privacy practices, breaches involving patient information, and compliance policies and activities.

Did the punishment fit the “crime?”, 09/29/2010,
Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law.

Judge won’t accept pleas in Jackson Memorial Hospital ID theft case,
A husband-and-wife duo charged with running a racket to pilfer patient records from Jackson Memorial Hospital to sell to lawyers for injury claims tried to plead guilty Tuesday in Miami federal court.

Hospital fulfills subpoena, gets hit with privacy suit , 5/3/2010,
Patient privacy is no doubt paramount in any physician practice. But when a subpoena suddenly is thrust into the physician-patient relationship, doctors may find themselves caught between the law and their privacy obligations.

EMR Data Theft Booming, 3/26/10,
Acceleration in the use of electronic medical records may lead to an increase in personal health information theft, according to a new study that shows there were more than 275,000 cases of medical information theft in the U.S. last year.

Better safe than sorry: Express Scripts should notify everyone, 10/02/09,
Almost a year after it was contacted by an extortionist, pharmacy benefits management company Express Scripts first learned that the extortionist was in possession of at least 700,000 more members’ personal information…

FTC issues Health Breach Notification Rule, 08/18/09,
The Federal Trade Commission (“FTC” or “Commission”) is issuing this final rule…

‘Anonymized’ data really isn’t – and here’s why not, 09/08/09,
The Massachusetts Group Insurance Commission had a bright idea back in the mid-1990s—it decided to release “anonymized” data on state employees that showed every single hospital visit.

Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy

U.S. Congress to Gut State Medical Privacy Laws? , 2/11/06,

Medical Data on 365,000 Stolen, 1/26/06,

Data Protection Used as Smokescreen, 1/18/06,

Sturm College of Law
University of Denver
2255 E. Evans Avenue
Denver, CO 80208