Breach notifications needed to be made faster in 2024. Instead, they were made more slowly.
Some findings from #Bluesight 2025 Breach Barometer report plus additional observations and my frustration with #HHSOCR for not enforcing the notification requirements in #HIPAA and #HITECH.
I'm now pretty convinced that box AI does (at least sometime) leak information.
A copy of the two chats and my test file is at https://mvpa.blogspot.com/2025/03/fun-with-box-ai-information-leakage.html
Evidence: in session 1 with a file I told box AI that the "white" subjects were "silly" and that the ages were given in days. In session 2 (four days later, different computer, different network) I started a new box AI session with the file, and it answered "how old are the silly subjects in years?" with the "white" subject ID codes, and converted the ages from days to years without being given those details again.
The box AI chats do not reproduce exactly every time, even with the same questions about the same file. But that it ever "remembered" things like "silly = white" across sessions (and users, in tests with colleagues) is deeply concerning in my context of protecting participant privacy.
First up: Katie Palmer's story about the reaction to the HIPAA security rule update.
#HIPAA "is a fig leaf" in today's cyberattack era, but no one wants to pay for better patient protection
https://www.statnews.com/2025/03/07/hipaa-security-update-rule-health-care-providers-push-back/
Today’s 3 good things:
- Sent emails to my Congresscritters about 3 different topics (mental health funding, #Medicare telehealth regulations, and #HIPAA requirements).
- Found out that #chickens sometimes wear sweaters and that people can do yoga with chickens. 
- Listened to the #Severance podcast with @quickstepper79.
#Florida Seeks Drug #Prescription Data With Names of #Patients and #Doctors
Federal #privacy law allows #pharmacy benefit managers to hand over limited data about individual patients in certain circumstances, but Florida’s demand for extensive information on patients and doctors could violate that law, according to experts.
#hipaa
https://www.nytimes.com/2025/03/05/health/florida-prescriptions-patient-privacy-data.html
Here's an update on my attempt to determine how concerned to be about the privacy and security of our data now that my employer added Box AI.
I'm most worried about information "leaking" from one AI session to another, so decided to test for that. Spoiler: info did seem to be retained over time and users.
For the tests I used a text file with an interview_age column in months, though that it's months isn't given in the document.
In the first box AI chat, when I asked "how old are the participants in years?", as expected, it reported the values as given in the interview_age column (e.g., that one participant was 458 years old). I then told the AI that "the ages in the
document are in months. how old are they in years?", after which it (reasonably) divided by 12 to convert.
The test was whether, in later sessions, box AI would "remember" that the age column was in months and report the age in years after dividing by 12 without being told to do so.
In our tests, that is what happened: the box AI usually converted the ages correctly first try in later sessions, both when I queried the same document from different computers (my wustl.box account but on different days and networks), and when two colleagues opened their first AI session with a newly-shared copy of the document.
It'll be interesting to hear what our IT folks think, but I am getting less and less confident in box for sensitive data.
@feorlen You certainly do not have to agree to anything.
You cannot waive protection of your personally identifiable health information. It doesn’t matter what you sign, your data must still be protected. The #HHS Privacy Rule implements the privacy requirement of the Health Insurance Portability and Accountability Act of 1996 (#HIPAA). It is the law. I don’t know anything about Phreesia, but I’ve personally run into other health-related companies, including doctor medical offices, that were not compliant. You have the right to know the name and contact information for the medical provider’s “HIPAA Compliance Officer.” You have the right to hear directly from that person how your health information is being protected. You also have the right to know the names and medical qualifications of everyone who has had access to your health information. I’ve used this with health insurance companies twice when they denied authorizations. They folded. The risk to companies who violate HIPAA is that they can lose all of their access to Federal contracts. If you are feeling trampled, you can lodge a complaint with HHS. Follow the link for details, and good luck to you!
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Massive Data Breach Exposes Personal Health Information of 882,000 Patients: A Wake-Up Call for Cybersecurity in Healthcare
A recent cyberattack on the Hospital Sisters Health System has exposed sensitive data of over 882,000 patients, raising alarms about the vulnerability of healthcare systems. As the industry grapples w...
This is a big win for reproductive rights in the United States.
NY Governor Hochul signed a bill to ensure doctors who provide abortion medication to patients outside the State have legal protection
Maggie Carpenter is a New York physician who’s been indicted for prescribing abortion medication to a Louisiana patient
This new bill will ensure no doctor in New York can be charged for assisting with a person’s right to choose.
Governor Hochul also stated she would never “under any circumstances” turn Carpenter over to Louisiana
from Jessica Valenti
"In yet another purge of vital health data, the Trump administration has scrubbed information about HIPAA protections for reproductive rights from the Department of Health and Human Services (HHS) website. They’ve also erased guidance on pharmacies’ obligation not to discriminate against patients seeking reproductive health care."
TITLE: Microsoft Copilot: Data Privacy Violation? *How to Turn it Off*
Microsoft Copilot is now built into Windows 10 and 11 and highly integrated with all Office 365 apps.
It is arguably highly useful.
However (at least in Word), the entire point of Copilot is to learn from what you type, and suggest or write increasingly useful documents. This means it is learning from your confidential client documents -- so the question arises -- how far does that information spread and does it even understand what is confidential and what is not?
Personally -- I want to selectively engage AI as *I* need it, and not have it looking over my shoulder at all times.
In this video, a lawyer breaks down a conversation between another lawyer and a Microsoft employee addressing pointed conversations about confidentiality. The employee seems to say that confidential information won't transmit beyond your organization (if you are using a business license version of Office 365...) but leaves unclear whether or not confidential information might spread between employees in the same business on a group license. Then there is the whole question of whether or not to even trust that Microsoft is not sucking up the data from your client documents regardless of what they say (their licensing documents *ALLOW THIS*). This is *THE* video to watch right now concerning privacy and HIPAA implications: https://www.youtube.com/watch?v=W9X6yMwmMpE
If you are viewing this on a web browser, also look at the comment section.
Please note that 4:48 into the video it discusses how to turn off Copilot in Office. Great. I tested this, and it also turns off my ability to synch OneNote documents with the cloud and different computers. So be aware of that.
This webpage gives you an easy way to turn off Copilot using the Group Policy Editor:
https://www.tomsguide.com/computing/software/how-disable-copilot-in-windows-11
This also works for Windows 10. You have to have a Pro, Enterprise, or Education edition of Windows to use the Group Policy Editor. Otherwise, you will need to use the Registry Editor. You can find directions on how to do this in this conversation: https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-delete-copilot-from-my-pc-i-dont-want-it/fdd780c5-fa50-4392-a374-fb0689dfbf34
Turning off Copilot through the Group Policy Editor does NOT damage my ability to synch OneNote files with OneDrive and between computers. (Moving to a solution that does not require this is a future goal of mine as its a security concern too...)
Meanwhile, Atomic Shrimp (a channel usually devoted to scam baiting -- highly amusing, I recommend him) apparently considers this all a scam. In a nutshell -- the price of Office 365 has been increased and Copilot has been added to it. However, if you are willing to wait on-hold 1-3 hours and argue with Microsoft, they still have an unadvertised tier of Office 365 at the old price WITHOUT Copilot functionality:
Microsoft’s Sneaky Forced-Upsell to 365 Users; If You Don’t Need/Want Copilot, Don’t Pay for It
https://www.youtube.com/watch?v=eYVPThx7yss
So -- I guess I'd rather pay the higher price each year for Office 365 and just turn off Copilot, but to each their own... But then, the software still exists on our computers, so in theory it might still be functioning if Microsoft is lying...
It's time to switch to Linux Mint and move out of the Microsoft sphere.
If you missed it earlier:
a) Turn off Recall: https://www.youtube.com/watch?v=HMi6UaO1In4
b) What Microsoft User Agreements say about their rights to use your data:
https://www.youtube.com/watch?v=1bxz2KpbNn4
I happen to have a HIPAA BAA agreement with Microsoft, but really -- am I going to sue Microsoft if they violate it?
At the risk of getting political, keep in mind that Microsoft just gave $1 million to the Trump inauguration fund. Perhaps just a savvy business move to stay in favor. It gets more ominous if we read into it, in light of likely administration future moves against transgender rights, LGBTQ+ rights, non-Christian religions, and pregnancy concerns -- all concerns we are likely to encounter as psychotherapists. All concerns we MIGHT document in client materials...
-- Michael
--
Michael Reeder LCPC
Hygeia Counseling Services : Baltimore, Maryland
~~~
#microsoft #eula #privacy #hipaa #healthcare #psychology #counseling #socialwork #psychotherapy @psychotherapist @psychotherapists @psychology @socialpsych @socialwork @psychiatry #mentalhealth #psychiatry #healthcare #PsiAN #psychotherapist #psychoanalytic #psychodynamic #depththerapy #security #securitynews #hospital #socialwork #healthcaresecurity #BAA #patientrecords
If you leak information about trans patients to ultra conservative activists you are NOT a whistleblower. You’re a malicious monster
Also how is this not a HIPAA violation and grounds for losing license?
Of course they dropped the case. Trump is in and people like this won’t be help accountable.
So... apart from the fact that I don't think they should have dropped charges against this doctor, is HHS going to investigate why the hospital gave access to patient data to a former employee/resident who no longer worked there and was never these patients' doctor?
US Justice Department drops case against Texas doctor charged with leaking transgender care data:
https://www.wfaa.com/article/news/local/us-justice-department-drops-case-against-doctor-charged-with-leaking-transgender-care-data/287-3e8a394d-41fb-41bf-bf72-fd012b87851b
@janef0421 @tante yes, and I can attest that having regulators breathe down the neck of a company with the power to essentially force them out of business due to license revocation is the only way shit got improved.
Because there [de-facto-] regulators say: "You WILL implement THIS!" and are absolutely unwilling to negotiate!
It gets worse. Strange convinces a hospital orderly to fetch a former patient’s file. 
Sharing patient records without consent is a huge #HIPAA no-no! Violators face *serious* fines IRL.
Doctor Strange’s Multiverse of #Privacy Madness? 
#Marvel's Sorcerer Supreme tramples #HIPAA faster than conjuring portals. From supercars to hospital files, privacy violations abound! Let’s dive in. 
https://bitsontape.com/p/doctor-strange-hipaa-phishing-iphone
Sharp-eyed @zackwhittaker caught this one:
UnitedHealth hid its Change Healthcare data breach notice for months:
Let's make sure Zack's reporting gets indexed.
Anyone else think that the HHS OCR monetary penalty imposed on Solara Medical was too steep? $3M is one of the steepest monetary penalties HHS OCR has imposed.
I'm glad to see enforcement of the timely notification requirement, but so many entities have blown the risk assessment requirement and the 60 day notification regulations so why is Solara being hit with such a stiff penalty?
Nine months after discovering a ransomware attack, Teton Orthopaedics notifies patients: https://databreaches.net/2025/01/12/nine-months-after-discovering-a-ransomware-attack-teton-orthopaedics-notifies-patients/
