On the heels of the concerning security incident experienced by FireEye [view related post], during the investigation of its own incident, FireEye discovered that multiple updates issued by SolarWinds, a cybersecurity firm that many governmental and private companies use to monitor networks, were “trojanized” and malware was inserted into the updates between March and May of 2020.

The malware allowed Russian operatives to hack into several governmental agencies, including the Departments of Homeland Security (DHS), State, National Institutes of Health, Commerce (National Telecommunications and Information Administration Office) and Treasury. In addition, it is reported that the Departments of Justice and Defense also were customers of SolarWinds. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect and stop using SolarWinds.

This compromising situation is obviously concerning for national security, particularly when CISA’s Director Christopher Krebs was recently summarily dismissed and many other top leaders of the organization have departed when we most need strong leadership from the federal agency in charge of cybersecurity.

Unfortunately, the bad news doesn’t stop there. SolarWinds reported to the Securities and Exchange Commission this week that it believes that approximately 18,000 of its private company customers also could be affected by the malware.

Security experts are warning all private companies  to follow the CISA emergency directive to federal agencies and to disconnect and stop using SolarWinds until the details can be sorted out. Sound guidance for companies that use SolarWinds to mitigate risk until more information is available. It is important that executives and IT personnel be in close contact about whether the company uses SolarWinds and heed the CISA emergency directive to disconnect while the effects of the compromise are being determined.

Ancestry.com (Ancestry) was sued on November 30, 2020, in a putative class action case filed in the Northern District of California for “knowingly misappropriating the photographs, likenesses, names, and identities of Plaintiff and the class; knowingly using those photographs, likenesses, names, and identities for the commercial purpose of selling access to them in Ancestry products and services; and knowingly using those photographs, likenesses, names and identities to advertise, sell and solicit purchases of Ancestry services and products; without obtaining prior consent from Plaintiffs and the class.”

The basis of the allegations stem from Ancestry’s business model of acquiring “huge databases of personal information…then selling access to that information for subscription fees.” According to the Complaint, “Ancestry’s databases comprise billions of records belonging to hundreds of millions of Americans.” In particular, the lawsuit alleges that Ancestry’s database “entitled ‘U.S., School Yearbooks, 1900-1999 (“Ancestry Yearbook Database”), which includes the names, photographs, cities of residence, and schools attended of many millions of Americans…includes over 60 million individuals records from California schools and universities.”

The Complaint alleges that Ancestry failed to obtain consent from, give notice to, or provide compensation “to tens of millions of Californians whose names, photographs, biographical information, and identities appear in its Ancestry Yearbook Database,” that this information uniquely identifies individuals, and that Ancestry sells access to the records to subscribers.

Neither of the named plaintiffs are subscribers to Ancestry.com, yet their yearbook pictures and specific information are located and searchable within the database.

The claims against Ancestry include violation of California’s Right of Publicity Statute for “misappropriation of a name, voice, signature, photograph, or likeness in advertising or soliciting without prior consent,” which provides for statutory damages of up to $750 per violation, and declaratory and injunctive relief, the California Unfair Competition Law, intrusion upon seclusion, and unjust enrichment.

Continuing with its previous enforcement actions centered on covered entities’ failure to provide patients with access to their health records, the Office for Civil Rights (OCR) announced on October 9, 2020 that it entered into a settlement with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center in Phoenix (St. Joseph’s) for $160,000 for failing to respond to multiple requests of a mother for her son’s records.

According to the OCR, a patient’s mother requested on multiple occasions her son’s medical records and St. Joseph’s failed to respond to her requests. She complained to the OCR, which commenced an investigation. Although St. Joseph’s provided partial records within months of the mother’s initial request in January 2018, the request was not fully complied with until December 2019.

The OCR stated “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.” The OCR warned covered entities by further stating “OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.”

In addition to the settlement of $160,000, St. Joseph’s is subject to a two-year corrective action plan that requires it to retrain its employees, update its policies and procedures around access to records, and distribute them to employees.