Cybercrime |

Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR has constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health plan claims and payment, health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health plan and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health plan and insurer and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Use Proposed Rules & Enforcement Actions For Additional Guidance To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health plans and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Suggested Process For Updating & Strengthening Risk Analysis

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, health plan fiduciaries may risk fiduciary liability under the Employee Retirement Income Security Act of 1974 for failing to prudently secure and protect participate and other health plan data from improper access, use or disclosure. Inadequate data safeguards for ePHI also can trigger liability for brokers, consultants, insurers and others under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded employers and insurers. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to employers, employer and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, health care and life sciences organizations, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks | Corporate Compliance | Tagged: AI, Cyber Security, Cybercrime, Cybersecurity, HIPAA, risk-assessment, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

$23M Penalty Small Part of 21st Century’s Data Breach Fallout; Offers Data Breach Lessons For Other Businesses

January 5, 2018

Continuing Fallout of 2015 Data Breach Provides Many Lessons For Other Businesses & Their Health Plans

Read the rest of this entry »

Comments Off on $23M Penalty Small Part of 21st Century’s Data Breach Fallout; Offers Data Breach Lessons For Other Businesses | ADA, Association Health Plan, Banking, Bankruptcy, board of directors, Brokers, Cafeteria Plans, Civil Monetary Penalties, Claims Administration, compensation, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, defined benefit plan, Defined Benefit Plans, defined contribution plan, Defined Contribution Plans, Disability, EBSA, employee, Employee Benefits, Employer, Employers, Employment, Employment Policies, ERISA, Excise Taxes, FACTA, Fiduciary Responsibility, Form 5500, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Internal Revenue Code, IRC, Labor Management Relations, Management, Mental Health, Pay, pension plan, Reporting & Disclosure, retirement plan, Retirement Plans, Retirements, Salaried, Tax, Uncategorized | Tagged: Cyber Security, Cybercrime, Data Breach, HIPAA, Identity Theft, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Moderate, Talk Medical CyberSecurity At 5/19 ISSA-LA IT Security Meedical Privacy Forum

May 12, 2017

Solutions Law Press, Inc. editor and attorney Cynthia Marcotte Stamer will speak and moderate two key panel programs on health care privacy and data security scheduled at the Healthcare Privacy & Security Form hosted on May 19, 2017 by the Information Security Systems Association of Los Angeles County (ISSA-LA) as a component of its 9th Annual ISSA-LA Information Security Summit. The presentations of Ms. Stamer and others at the conference are particularly timely coming on the heels of the May 12 Cyber alerts to U.S. health industry and other businesses about the urgent need to defend against the spread of an epidemic international malware threat targeting U.S. healthcare and other businesses. See Urgent WannaCry Ransomware Cyber Warning Issued; Alert: Guard Health E-Mail, Other IT Against WannaCry Malware Attack.

The Medical Privacy & Security Summit is part of the 9th Annual ISSA-LA Information Security Summit scheduled for May 18-19, 2017 at the Universal City Hilton in Los Angeles. Recognized as a premier information security education and networking event, the Summit is expected to bring together 1000 or more health industry and other IT and InfoSec executives, leaders, analysts, and practitioners to learn from the experts, exchange ideas with their peers, and enjoy conversations with the community.

The Healthcare Privacy & Security Forum offered for the 5^th year as a component of the annual Summit on May 19 specifically focuses on leading challenges, issues and opportunities confronted by health industry privacy and security professionals and their organizations. Ms. Stamer has served on the steering committee, moderator and popular faculty member for the 2017 Forum for the 5^th consecutive year. During the 2017 Forum, she will moderate and speak on two panels:

“Finding & Negotiating The Mine Fields: CISO, CIO & Privacy Officer’s Playbook for Promoting Compliance & Security Without Getting Fired,” a luncheon interactive panel discussion with the audience exploring the challenging mission CISOs, CIOs and Privacy Officers face to ensure their healthcare, financial and other critical information, data and systems continue to support the patient care and operating functions of their organizations, while at the same time defending these systems, operations and their sensitive, but mission critical data against malicious or innocent misappropriation, use, access or destruction; and
The closing panel on “What Initiatives Are on the Horizon in Healthcare, and How Can We Secure Them?”, which will explore likely future emerging privacy and security threats and technologies, regulatory challenges and enforcement, and other trends that Privacy and Security professionals are likely to face and tips and strategies for preparing to leverage these likely new opportunities and manage new challenges.

Register or get the full schedule of programs and other events scheduled at the Healthcare Privacy & Security Forum specifically along with the overall Information Security Summit here.

About Ms. Stamer

Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work on health industry and other privacy and data security and other health care, health benefit, health policy and regulatory affairs and other health industry legal and operational as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.

Scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer is well-known for her extensive work and leadership throughout her career on HIPAA, FACTA, PCI, IRC and other tax, Social Security, GLB, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns. Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks, insurers and other financial institutions, and others on trade secret confidentiality, privacy, data security and other risk management and compliance including design, establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, drafting and negotiation of business associate, chain of custody, confidentiality, and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others; reporting known or suspected violations; commenting or obtaining other clarification of guidance and other regulatory affairs, training and enforcement, and a host of other related concerns.

Her clients include public and private health care providers, health insurers, health plans, employers, payroll, staffing, recruitment, insurance and financial services, health and other technology and other vendors, and others.

Author of a multitude of highly-regarded works and training programs on HIPAA and other data security, privacy and use published by BNA, the ABA and other premier legal industry publishers In addition to representing and advising these organizations, she also speaks extensively and conducts training on health care and other privacy and data security and many other matters Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.

For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer. Limited, non-exclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Stamer To Moderate, Talk Medical CyberSecurity At 5/19 ISSA-LA IT Security Meedical Privacy Forum | ADA, ARRA, board of directors, Brokers, Child Safety, Civil Monetary Penalties, compliance, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, EBSA, Educational Privacy, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, EMR, ERISA, FACTA, Fair Credit Reporting Act, FICA, fiduciary duty, FINRA, Government Contractors, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Internet, Management, Mental Health, officers, Physician, Plan Admistrator, Privacy, Professional Liability, Protected Health Information, Provider, Public Policy, Security, Technology, third party administrators, Uncategorized | Tagged: Cyber Security, Cybercrime, Data Security, Information Security, IT, medical data, Medical Privacy, medical security, Protected Health Information, speech | Permalink
Posted by Cynthia Marcotte Stamer

Strengthen Your Cyber Security By Sharing National Cyber Security Awareness Month Resources This Week

October 25, 2015

Halloween’s annual celebration of spooks and goblins peak is a perfect time to promote awareness and help American businesses and citizens build their skills to guard against the real and growing menace of identity thieves and other cybercriminals by getting involved with the 12^th annual National Cyber Security Awareness Month (NCSAM) in October, begin preparing to participate in the next annual “Data Privacy Day” on January 28, 2016 and joining in other activities highlighted through NCSAM and Data Privacy Day to help deter Cybercrime and identity theft threats. Even if your organization or family choose not to participate in any official or public way, checking out and using the many free resources provides an invaluable, free opportunity to raise your defenses against this rising risk.

With virtually every American business and citizen now connected to and using the Internet to conduct key personal and business transactions and the constant drive by government and business to digitize regular business transactions, no one agency, business or individual alone can truly know where and who has their sensitive data, much less reliably can defend this data against the identity and other theft and other cybercriminals lurking in the digital world’s virtual streets waiting to strike, then disappear in “Jack The Ripper” style into the darkness of the Internet. That’s why every American and American business should take time to participate and urge others to Get Involved in the 12^th Annual NCSAM activities this month and use the supportive resources offered through that involvement throughout the year.

Celebrated annually in October, NCSAM was created to provide resources to help Americans stay safer and more secure online through public-private collaboration between the U.S. Department of Homeland Security and industry led by the National Cyber Security Alliance (NCSA). NCSAM and its associated activities outreach to consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. NCSAM 2015 particularly focuses on the consumer and his/her needs regarding cybersecurity and safety continuing the overall message of STOP. THINK. CONNECT. Campaign founded in 2010 and its capstone concepts: “Keep a Clean Machine,” “Protect Your Personal Information,” “Connect with Care,” “Be Web Wise” and “Be a Good Online Citizen.” NCSAM seeks to remind Americans to incorporate “STOP. THINK. CONNECT.” into their online routines and offers resources to help individuals understand and put these principles into practice into their online routine at the home, the office and elsewhere.

Designed to be accessible and understandable by consumers, many business and government organizations may want to support and promote their Cyber Security employee and customer training and awareness efforts by participating annually in NCSAM in October, signing up your organization to Data Privacy Day Champion and/or participating in Data Privacy Day on January 28, 2016, or otherwise using and sharing tips, tools and other resources in the Privacy Library such as:

General Privacy & Cyber Security Awareness

Be A Good Citizen On Line
Protect All Devices
Practice Good Online Safety Habits With These Tips & Advice
Spam & Phishing
Hacked Accounts
Check Your Privacy Settings
Privacy Tips for Teens – A video with STOP. THINK. CONNECT. tips to help teens be privacy-savvy and manage their online reputation.
“Perceptions of Privacy Online and in the Digitally Connected World,” a summary of the results of a 2013-2014 data privacy study conducted by the National Cyber Security Alliance’s Privacy Messaging Development Committee.
Data is Permanent Too – STOP.THINK. is this TMI? A short video created by the Intel Corporation.
Why Privacy Matters – The first in the series of explainers from Zero Knowledge Privacy Foundation.
The Fine Print of Privacy – The second in the series of explainers from Zero Knowledge Privacy Foundation.
“The Right to Fail in Citizenville,” a blog by David Hoffman, Director of Security Policy and Global Privacy Officer, Intel (March, 2013).
The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value, an e-book by McAfee’s Michelle Finneran Dennedy, Jonathan Fox, and Thomas R. Finneran.

Keep a Clean Machine/Cookies & Behavioral Tracking

Malware & Botnets
A video about cookies and why they matter created by the Wall Street Journal.
Information about the Network Advertising Initiative (NAI) offering opt-out of online behavior advertising and provides factual information about online behavioral advertising, privacy, cookies.

Health Privacy

What is HIPAA and Why Should You Care? A Patient’s Guide to HIPAA (Health Insurance Portability and Accountability Act)
Medical Records Privacy from Privacy Rights Clearinghouse
Understanding Health Information Privacy by the U.S. Department of Health and Human Services

Identity Theft Prevention & Clean Up

Links to resources at fraud.org about how to spot a scam, file a complaint and learn about scams.
“ID Theft & Account Fraud – Prevention & Cleanup” a helpful resource provided by Consumer Action offered in numerous languages.
Fighting Back Against Identity Theft and other information for consumers on how to deter, detect and defend against identity theft
IRS resources about how to report phishing.

Mobile App Privacy & Security

“Your Apps Are Watching You,” an investigative report from the Wall Street Journal found popular iPhone and Android apps are collecting and transmitting information without users’ awareness or consent.
Net Safety Tips On The Go app for Android phones app provides quick, practical, friendly advice one tip at a time.
Tips to help protect your privacy when using a mobile device provided by the National Cyber Security Alliance.
Microsoft’s “Location & Privacy: Where are we headed?” and “What Does Your Online Reputation Say About You?”
Protect your personal information while using public Wi-Fi with this video.
10 travel tips for protecting your privacy from PUBLIC WiFi.
Online Services – Banking, Dating & General Guidelines
Don’t Upload Financial Data to Questionable Sources video created by the Intel Corporation
The Perils and Pitfalls of Online Dating: How to Protect Yourself from the Privacy Rights Clearinghouse.
The Google Privacy Channel on YouTube offers a number of short informative videos on privacy issues including: interest-based advertising; use of privacy settings in Google Latitude; advertising privacy; and how to protect your privacy on Google Chrome.

Student & Educational Privacy & Security

I want to each online safety for Grades K-2, Grades 3-5 Middle and High School Higher Education and CSave Volunteer Lesson Plans & Materials
The Protecting Privacy in Connected Learning toolkit is an in-depth, step-by-step guide to navigating the Family Education Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA) and related privacy issues.
Securing Your Home Network
The Family Educational Rights and Privacy Act, or FERPA, is the main federal law that deals with education privacy, but there are a host of other laws, best practices, and guidelines that are essential to understanding education privacy. FERPA|SHERPA aims to provide service providers, parents, school officials, and policymakers with easy access to those materials to help guide responsible uses of student’s data.
General guidance for parents provided by the department of education Family Educational Rights and Privacy Act (FERPA)
Student Privacy 101: FERPA for parents and students – Ever have questions about your rights regarding education records? This short video highlights the key points of the family education rights and privacy act (FERPA).

Other Resources

About the Author

Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than years’ experience helping business and government organizations and their leaders manage. Ms. Stamer’s legal and management consulting work throughout her 28 plus year career has focused on helping organizations and their management understand and use the law and process to manage people, process, compliance, operations and risk including significant work in the prevention, investigation and remediation of data breach and other Cybercrime events.

Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Office of Civil Rights,Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Cynthia Marcotte Stamer’s practice has focused on advising and representing government and private technology, security, health care providers, health plans, health, schools and other educational organizations, insurance, banking and financial services, retail, employer and other organizations about privacy and data security compliance and risk management, breach and other investigations and enforcement, workforce and performance management and other risk management, compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

With data and technology use, protection and management imbedded in virtually every aspect of her client’s operations, data and other confidential information and systems use, protection, breach or other abuse investigation and response, enforcement and liability mitigation and defense and other Cybercrime and Cyber Security challenges are a continuous component of Ms. Stamer’s management work. Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce, data breach and Cybercrime, and other legal and operational crises large and small that arise in the course of operations. Ms. Stamer regularly helps clients design, administer and defend HIPAA, FACTA, data breach, identity theft and other risk management, compliance and other privacy, data security, confidential information and other data security, technology and management policies and practices affecting their operations. She also helps clients prevent, investigate and mitigate HIPAA, FACTA, PHI and other data breach hacking, identity theft, data breach, data loss or destruction, theft of trade secrets or other sensitive data, spoofing, industrial espionage, insider and other parties misuse of data or technology and other cybercrime and technology use concerns. Best-known for her extensive work helping health care, insurance and other highly regulated entities manage both general employment and management concerns and their highly complicated, industry specific corporate compliance, internal controls and risk management requirements, Ms. Stamer’s clients and experience also includes a broad range of other businesses. Her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external privacy and data security compliance, risk management, investigation and remediation, workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other legal and operational compliance, risk management, disaster preparedness and response, and liability defense and mitigation concerns arising out of organization’s operations.

Cindy also is widely recognized for her regulatory and public policy advocacy, publications, and public speaking on privacy and other compliance, risk management concerns. Among others, she is the author of “Privacy & Securities Standards-A Brief Nutshell,” “Privacy Invasions of Medical Care-An Emerging Perspective,” the E-Health Business and Transactional Law Chapter on Other Liability-Tort and Regulatory;” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA;” “Personal Identity Management Legal Demands and Technology Solutions;” “Tailoring A Records Management Plan And Process To Meet Your Legal And Operational Needs;” “Brokers & Insurers Identity Theft and Privacy Perils;” “HR’s Role In Personal Identity Theft & Cyber Crime Prevention;” “Protecting & Using Patient Data In Disease Management Opportunities, Liabilities And Prescriptions;” “Why Your Business Needs A Cybercrime Prevention and Compliance Program;” “Leveraging Your Enterprise Digital Identity Management Investments and Breaking though the Identity Management Buzz;” “When Your Employee’s Private Life Becomes Your Business;” and hundreds of other works. Her insights on privacy, data security, and other matters have appeared in The Wall Street Journal, Business Insurance, the Dallas Morning News, Spencer Publications, and a host of other publications. She speaks and has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer works with businesses and government organizations and their management, employee benefit plans, schools, financial institutions, retail, hospitality, and other organizations deal with all aspects of these and other operations performance and compliance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here, or the Stamer Chadwick Soefje PLLC website here. To contact Ms. Stamer, e-mail her at here or telephone (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com including:

Comments Off on Strengthen Your Cyber Security By Sharing National Cyber Security Awareness Month Resources This Week | Banking, Child Safety, Cybercrime, Data Breach, Education, Educational Privacy, Employer, FACTA, Fair Credit Reporting Act, Financial Security, FINRA, Gaming, health Care, HIPAA, Hospitality, HR, Human Resources, Identity Theft, Insurance, Internet, Managment, NCSAM, Privacy, Retail, Risk Management, Safety, Schools, Security, Technology | Tagged: Cyber Security, Cybercrime, Data Breach, Data Security, FACTA, FERPA, Health Care, HIPAA, Identity Theft, Internet Security, On-line Dating Safety, On-line Security, Privacy, Schools, Security, Teen Safety, Teens | Permalink
Posted by Cynthia Marcotte Stamer