Printer Friendly, PDF & Email

RPP Privacy Briefs: February 2019

The cybersecurity firm UpGuard says millions of files from the Oklahoma Department of Securities, some of which contained protected health information, were left unguarded online. Some of the files included Social Security numbers, while others included health records with names and even T-cell counts of patients with AIDS. The information dated back to 2015, according to UpGuard, but it wasn’t accessible online until last November. UpGuard notified the Oklahoma Securities Commission in early December, and the files were taken down. It’s not clear whether any of the information was stolen while it was unprotected online. Read more at

Lawmakers in Oregon have proposed legislation that would let patients sell their de-identified health data and profit from it. Consumers could elect to receive payment in exchange for authorizing the sale of de-identified protected health information. At the same time, the bill prohibits commercial sale of health information by HIPAA covered entities, business associates, subcontrators or other third parties without authorization of individuals whose health information would be included in the sale. The bill also prohibits HIPAA covered entities from discriminating against individuals who decline to allow their personal de-identified information to be sold to third parties. The legislation has more than 40 co-sponsors, with bipartisan support. The idea for the legislation to treat personal data as property came from, a company that has built a blockchain-based app that lets people sell their personal data. has had similar conversations about introducing this type of legislation in other states, including New Jersey. View the legislation at Learn more at

This document is only available to subscribers. Please log in or purchase access.