Eric A. Packel

Subscribe to all posts by Eric A. Packel

Ransomware, COVID-19 and Regulations: Healthcare Entities Confront a Triple Threat

By Eric A. Packel, Vimala Devassy and Courtney Litchfield on July 1, 2021 Posted in Healthcare

Given what the healthcare industry faced in 2020, the seventh edition of our Data Security Incident Response (DSIR) Report, “Disruption and Transformation,” is aptly titled. As if fighting the COVID-19 pandemic weren’t enough for the industry to tackle, it also faced a surge of ransomware attacks, evolving legal/regulatory considerations, and novel and complex issues presented … Continue Reading

Warning of Cybersecurity Threat to Healthcare Sector – Imminent Threat of Ransomware

By Eric A. Packel on October 29, 2020 Posted in Healthcare

BakerHostetler is closely monitoring a Cybersecurity Advisory issued jointly by several government agencies including the United States Department of Health and Human Services (HHS) and the FBI, on October 28. The Advisory warns of an imminent cybercrime threat to U.S. hospitals and healthcare providers with the purpose of infecting systems with Ryuk ransomware for financial … Continue Reading

Due to the COVID-19 Pandemic, HHS Eases Restrictions on the Use and Disclosure of PHI by Business Associates

By Eric A. Packel on April 3, 2020 Posted in HHS

The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement discretion – this one relating to business associates. This latest notification allows business associates to use and disclose protected health … Continue Reading

Surviving the Pandemic: Yes, You May Have to Pay a Ransom

By Eric A. Packel on March 5, 2020 Posted in Ransomware

We are in the midst of a global pandemic. This scourge is easily transmitted, and infections are difficult to eradicate. It learns from our defenses and then mutates into new variants. It comes in various forms, with exotic names such as Sodinokibi, GandCrab and Ryuk. Sometimes its effects are mild, but in many cases it … Continue Reading

Deeper Dive: Choose the Right Forensics Firm for the Job

By Eric A. Packel and Will R. Daugherty on April 17, 2019 Posted in Data Breaches, Forensics

Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation. Forensics firms can not only help determine what happened in a data incident but can also provide recommendations for containment and mitigation. … Continue Reading

What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

By Eric A. Packel on February 4, 2019 Posted in HHS, HIPAA/HITECH

In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. … Continue Reading

Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?

By Eric A. Packel on November 8, 2017 Posted in Cybersecurity, Mobile Privacy

Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations. … Continue Reading

Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident

By Eric A. Packel on April 27, 2017 Posted in Cybersecurity, Enforcement

Your company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing … Continue Reading

Looking back at the HIPAA resolution agreements in 2016

By Eric A. Packel on December 30, 2016 Posted in HIPAA/HITECH

In 2016, Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA, continued robust enforcement efforts. There were 12 reported resolution agreements (RA) in 2016. An RA is a settlement agreement between HHS and a covered entity (or business associate) where the entity agrees to the payment of a resolution … Continue Reading

Privacy and Security in the Voting Booth

By Eric A. Packel on November 8, 2016 Posted in Cybersecurity

Could the presidential election be hacked? With Election Day upon us, concerns about the security of the U.S. election system have reached a fever pitch. But how likely is it that a breach could affect the election? Could hackers really make cries of a “rigged” election come true? The U.S. government is definitely concerned about … Continue Reading

Deeper Dive: Regulatory Investigations Following a Reported Breach

By Eric A. Packel on May 2, 2016 Posted in Data Breaches, Federal Legislation

We recently released our 2016 Data Security Incident Response Report (“Report”), which provides lessons learned and metrics related to over 300 data security incidents handled by our team. As noted in the report, once an incident is made public the potential ramifications include a wide-ranging investigation by a regulatory agency, such as state attorneys general. … Continue Reading

Government Access to Private Data: Microsoft Opens a New Front in the Battle for Consumer Privacy

By Eric A. Packel on April 19, 2016 Posted in Online Privacy

Prior to the Information Age, sensitive papers were stored in file cabinets and drawers. When home computers arrived, information was digitized and moved to hard drives or other electronic media, still possessed by the user. Today, with the general availability of high-speed Internet service, many individuals are moving information to the so-called cloud – which … Continue Reading

Encryption: The Battle Between Privacy and Counterterrorism

By Eric A. Packel on January 28, 2016 Posted in Cybersecurity

For privacy advocates, it is universally accepted that encryption is a very good thing. After all, encrypted data is deemed a safe harbor under HIPAA and state breach-notification laws, providing an “out” from potential fines and penalties when an encrypted device is lost that contains sensitive health or other personal information. In addition to encouraging … Continue Reading

Colleges and Universities Are Prime Cyberattack Targets: What’s Behind the Threat?

By Eric A. Packel on October 29, 2015 Posted in Cybersecurity, Incident Response

When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers. In fact, the education sector, according to recent reports, comes in … Continue Reading

EU Expands Reach of National Data Protection Regulators

By Eric A. Packel on October 21, 2015 Posted in International Privacy Law, Online Privacy

The central European countries of Slovakia and Hungary are divided by a common 420-mile-long border. But that dividing line, and other European national borders, may now be a little more blurred due to a key ruling by the Court of Justice of the European Union (CJEU). The ruling, perhaps somewhat overlooked due to all of … Continue Reading

A Kinder, Gentler Spanish Data Protection Authority?

By Eric A. Packel on July 29, 2015 Posted in International Privacy Law

As of July 24, Spain has a new director for its Data Protection Authority (Agencia Española de Protección de Datos — AEPD). The AEPD is the agency responsible for conducting investigations and bringing disciplinary actions concerning data protection issues, including compliance with Spain’s Data Protection Act of 1999 (called the “LOPD” in Spain), which implemented … Continue Reading

Use of File-Sharing Service Leads To $218,400 Fine For HIPAA Violations

By Eric A. Packel on July 14, 2015 Posted in HIPAA/HITECH, Medical Privacy

Internet-based file-sharing services such as Dropbox and Google Drive can be easy and convenient to use, whether via the touch of an app on a mobile device or by opening a browser on a PC. Healthcare professionals are often tempted to use such services to store or share documents, since the stored documents can be … Continue Reading

International Privacy — 2014 Year in Review — EU

By Eric A. Packel on January 5, 2015 Posted in International Privacy Law

While the last refrains of “should old acquaintance be forgot” fade away from New Years’ Eve celebrations, 2014 may be remembered as the year of the “right to be forgotten” in light of an EU privacy ruling last May. Below we cover that ruling and other significant events from 2014 — an eventful year in … Continue Reading

Cross-Border Data Transfers: Cutting Through the Complexity

By Eric A. Packel and Patrick H. Haggerty on November 14, 2014 Posted in Cybersecurity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in … Continue Reading

Will Using “Apple Pay” Keep the Data Breach Away?

By Eric A. Packel on October 13, 2014 Posted in Data Breaches, Mobile Privacy

Recently Apple unveiled its latest iPhones and other new products. While the big screens on the new iPhones are making the splashy headlines, perhaps the most interesting reveal, from a data privacy perspective, is not a shiny gadget, but the new mobile payment service dubbed “Apple Pay”. Although mobile payment services aren’t new – Google … Continue Reading

Privacy or Politics? – Russia Seeks More Control Over its Citizens’ Personal Data

By Eric A. Packel on September 8, 2014 Posted in International Privacy Law

Back in July, President Vladimir Putin signed a law (Federal Law No. 242-FZ) that compels “data operators” to store Russian citizens’ personal data only inside Russia. Previously, Russian law allowed the storage of data relating to Russian citizens to be located on servers in foreign countries. Under the new law, companies that collect personal data … Continue Reading

Is the 5th Time the Charm? – Nationalizing Data Breach Notification

By Eric A. Packel on March 16, 2014 Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation

Once the smoke and dust clears from the latest enormous data breach, the fried servers are hauled away and the ritual IT department purge takes place, the focus seems to turn to the lack of any comprehensive national data breach law. Although certain sector specific breach notification laws are in place, such as HIPAA/HITECH in … Continue Reading

FBI Issues Cyber Attack Warning to Retailers: Is Chip and PIN the Answer?

By Eric A. Packel on February 1, 2014 Posted in Payment Card Industry

The FBI’s Warning: Point-of-sale (POS) systems are under attack. In the wake of breaches at Neiman Marcus, Target and other stores over the 2013 holiday season, the FBI is now warning retailers to expect similar cyber attacks in the coming months. The warning came in the form of a 3 page report distributed to numerous … Continue Reading