Privacy & Information Security Law Blog

As reported in BNA Privacy Law Watch, on December 6, 2017, health care provider 21st Century Oncology agreed to pay $2.3 million to settle charges by the Department of Health and Human Services' (“HHS”) Office for Civil Rights (“OCR”) that its security practices led to a data breach involving patient information. The settlement was made public in the company’s December 6, 2017, bankruptcy filing. The HHS charges stemmed from a 2015 data breach involving the compromise of Social Security numbers, medical diagnoses and health insurance information of at least 2.2 million ...

On May 23, 2014, the Federal Trade Commission announced that the FTC’s Bureau of Consumer Protection sent a letter to the court overseeing the bankruptcy proceedings for ConnectEDU Inc. (“ConnectEDU”), an education technology company, warning that the proposed sale of the company’s assets raises privacy concerns. ConnectEDU’s assets include personal information collected from students, high schools and community colleges in connection with the company’s website and affiliated services.

On February 20, 2013, the UK Court of Appeal issued its decision in Smeaton v Equifax Plc, [2013] EWCA Civ 108, overturning an award of damages to an individual about whom a credit reference agency had maintained an inaccurate record.

On September 6, 2011, a bankruptcy court approved an agreement between bankrupt bookseller Borders Group, Inc. (“Borders”) and Next Jump, Inc., (“Next Jump”) regarding Next Jump’s alleged trademark infringement and unauthorized use of Borders’ customer information.  Next Jump stipulated that it will not communicate with persons on Borders’ customer list, and that it would remove the Borders name and marks from websites that Next Jump owns or operates.

As we recently reported, the FTC expressed its opposition to a move by creditors of bankrupt XY Magazine to acquire personal information about the magazine’s subscribers, on the grounds that such a transfer would contravene the magazine’s privacy promises and could violate the Federal Trade Commission Act.  The magazine, which catered to a young gay audience, had a website privacy policy that asserted   “[w]e never give your info to anybody” and “our privacy policy is simple: we never share your information with anybody.”  Readers who submitted online profile information were told that their information “will not be published.  We keep it secret.”  The personal information at issue included the names, postal and email addresses, photographs and online profiles of more than 500,000 users.

David Vladeck, Director of the FTC’s Bureau of Consumer Protection, recently sent a letter to creditors of XY Magazine, warning that the creditors’ acquisition of personal information about the debtor’s subscribers and readers in contravention of the debtor’s privacy promises could violate the Federal Trade Commission Act (“FTC Act”).