In this Newsletter
Regulations & Guidelines
American Data Privacy Act
In a significant bipartisan effort, key members of U.S. Congress have unveiled a draft federal privacy bill aimed at establishing a national data privacy and security standard. The proposed American Privacy Rights Act, discussed by U.S. House Committee on Energy and Commerce Chair Cathy McMorris Rodgers and Senator Maria Cantwell, focuses on data minimization, consumer rights to manage their data, and aims to replace the patchwork of state laws with a stronger federal standard, addressing the pressing need for consistent privacy protections across the nation.
EU Parliament Votes To Strengthen GDPR Enforcement
The European Parliament voted to refine the enforcement procedures of the General Data Protection Regulation (GDPR), with 329 in favor, 213 against, and 79 abstentions. The proposed adjustments aim to enhance collaboration among national data protection authorities, improve dispute resolution mechanisms, and unify specific procedural rules and rights throughout EU Member States.
Colorado Protects Brain Wave Privacy With First Neurodata Law
Colorado has become the first state to legally protect neural data as private information, with Governor Jared Polis signing a law that classifies nervous system activity as sensitive data under the state's consumer privacy law. This legislative move mandates companies to obtain consent before collecting or processing neural data, addressing emerging privacy concerns linked to neurotechnology that can record, monitor, or alter brain activity.
HHS Finalizes Rule To Strengthen Reproductive Health Data Privacy Under HIPAA
The Biden-Harris administration, through the Department of Health and Human Services (HHS), has issued a final rule under the HIPAA Privacy Rule to enhance the privacy of patients and providers involved in lawful reproductive healthcare. This new regulation, which arose in response to concerns following the overturning of Roe v. Wade, prohibits the disclosure of protected health information (PHI) to pursue legal actions against patients or healthcare providers, aiming to safeguard their ability to access and provide safe, legal healthcare without fear of legal repercussions.
FTC Finalizes Changes To The Health Breach Notification Rule
On April 26th, 2024, the Federal Trade Commission finalized updates to the Health Breach Notification Rule (HBNR). These changes enhance and update the rule by specifying its relevance to health applications and related technologies, and by broadening the details that covered entities are required to disclose to consumers when informing them of a breach involving their health information.
Data Privacy Enforcement
Cerebral Telehealth to Pay $7 Million Fine Over Patient Privacy
Cerebral Inc. has agreed to a $7 million settlement with the FTC and committed to halt the use of health data for advertising, following charges of mailing unsecured postcards linking patients to their medical diagnoses. The telehealth company and its former CEO were also found to have shared sensitive data with third-party marketers like TikTok, LinkedIn, and Snapchat, in violation of their own privacy assurances.
EDPB 2023 Annual Report
The European Data Protection Board's 2023 annual report details its work from the previous year, including issuing guidelines on deceptive design and facial recognition, and providing advice on data privacy within the EU-US framework and GDPR enforcement.
Data Breach & Cybersecurity
Hackers Stole 340,000 Social Security Numbers From Government Consulting Firm
Greylock McKinnon Associates (GMA), a U.S. consulting firm, reported a data breach on Maine's government website, revealing that hackers had stolen up to 341,650 Social Security numbers. The breach, announced through a mailed notice to affected individuals, occurred during a cyberattack in May 2023; GMA, which provides support to various companies and U.S. government agencies, including in civil litigation matters with the Department of Justice, responded swiftly to mitigate the incident.
Change Healthcare Stolen Patient Data Leaked by Ransomware Gang
An extortion group known as RansomHub has released sensitive patient data stolen from Change Healthcare in a ransomware attack, marking the first time cybercriminals have publicly disclosed possession of such records. This incident is compounded by the fact that it's the second ransom demand faced by Change Healthcare in recent months, with the parent company, UnitedHealth Group, actively investigating the breach amidst claims of internal disputes within the ransomware gang complicating the situation.
Kaiser Reports Data Breach Affecting 13.4M People
On April 26, 2024, Kaiser Foundation Health Plan reported a massive data breach to the OCR, involving 13.4 million records due to technologies on its websites and apps sharing data with third-party vendors like Google and Microsoft. This incident, the largest reported to OCR in 2024, involved sensitive information such as member names and IP addresses, leading Kaiser to remove the offending technologies and plan customer notifications for May.
Artificial Intelligence
Auditing Large Language Models For Race And Gender Bias
An audit of state-of-the-art large language models like GPT-4 reveals systematic biases, showing that the advice provided by these models often disadvantages names commonly associated with racial minorities and women, with the least advantageous outcomes observed for names associated with Black women. The study highlights that biases are consistent across various scenarios and models, suggesting systemic issues, and emphasizes the effectiveness of numerical anchors in countering these biases, while qualitative details may exacerbate disparities, stressing the need for rigorous audits at deployment to prevent harm to marginalized groups.
The Rise Of The AI Officer
The number of companies appointing a designated head of AI, or Chief AI Officer (CAIO), has nearly tripled worldwide in the past five years, fueled by advancements like ChatGPT and governmental measures such as the White House mandating federal agencies to have chief AI officers to manage and oversee AI use responsibly. While CAIOs are crucial for steering AI deployment within organizations, enhancing efficiency, and tackling ethical issues, their exact responsibilities remain undefined, and the sustainability of the role is uncertain given the rapid evolution of job titles in corporate environments.
Generative AI Is Supposed To Save Doctors From Burnout. New Data Show It Needs More Training
Recent research from institutions like the University of California, Mount Sinai, and Mass General Brigham reveals that while large language models (LLMs) are increasingly used in healthcare, they sometimes complicate rather than simplify doctors' workloads. These studies highlight issues such as the premature deployment leading to errors, the need for thorough testing despite the hype, and persistent challenges in applications like generating diagnostic codes and operating patient chatbots.
Xaira, An AI Drug Discovery Startup, Launches With $1 Billion
ARCH Venture Partners and Foresite Labs, an affiliate of Foresite Capital, have announced the incubation and funding of Xaira Therapeutics, an AI biotech firm. Having operated in stealth mode for approximately six months, the company has secured a substantial investment of $1 billion. Additional backers of Xaira Therapeutics include F-Prime, NEA, Sequoia Capital, Lux Capital, Lightspeed Venture Partners, Menlo Ventures, Two Sigma Ventures, and SV Angel. The company will be led by Marc Tessier-Lavigne former Standford President.
Nvidia's Plan To Dominate Biotech's AI Revolution
The chipmaker has emerged as a leading figure in the most dynamic sector of biopharma R&D—utilizing artificial intelligence for drug design. It has established a revenue stream exceeding $1 billion in the health sector and is increasingly convincing the industry that this might be the pivotal moment for technology in healthcare, though not necessarily in the ways previous contenders envisioned.
Data Governance
EU Drops Sovereignty Requirements In Cybersecurity Certification Scheme
Amazon, Google, and Microsoft may have an improved chance at securing EU cloud computing contracts as new draft cybersecurity labelling rules no longer require vendors to be independent from non-EU laws, as per a document viewed by Reuters. This development comes as the European Union works to finalize a cybersecurity certification scheme (EUCS) that ensures cloud services are secure and trustworthy for use by governments and businesses within the bloc.
The European Health Data Space Overcomes Its Final Obstacle In Parliament
The new European regulation establishes a framework for sharing health data across EU states, enhancing GDPR protections and managing cross-border healthcare. It also sets up robust governance for digital health, allows connections with non-EU entities under strict conditions, and will be implemented gradually over the next 2 to 6 years, requiring regulatory adjustments in member states like France.
Podcasts
- Foundation Models for Pathology with Razik Yousfi
- The Societal Impacts of Foundation Models, and Access to Data for Researchers
- The Sound: A Game-Chnaging Tool for Holistic Health Monitoring? With Dr Roeland Decorte
iliomad's News
CNIL Approval
We are pleased to announce that the ICM - Institut du Cancer de Montpellier - has received authorization from the French Data Protection Authority (CNIL) to conduct the APAD-ECO study. The study, approved on April 19, will explore the medico-economic effects of physical activity on women who have been treated for breast cancer. It will analyze data from two clinical trials and the Caisse nationale de l’Assurance Maladie from 2009 to 2022, assessing the long-term benefits of physical activity on these patients. Our role in facilitating the ICM with a compliant Data Protection Impact Assessment was key in securing this approval from CNIL.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #20
🌎 This month, key updates include Brazil’s introduction of a new SCC-based framework for international data transfers. 📋 The EDPB shared its evaluation of the EU-US Data Privacy Framework. 🤖 Advancements in AI-driven health solutions, such as Sanofi’s Muse for clinical trial recruitment, were also highlighted. 🧬 Discussions focused on genomics privacy, neural data protection, and the transformative role of AI in healthcare and compliance landscapes.
Newsletter #19
In October, key developments in data privacy, AI, and cybersecurity emerged, including new GDPR accountability guidance for controllers, the introduction of the UK’s Data Bill 2024, and the FDA's call for coordinated AI regulation in healthcare. High-profile data breaches also highlighted vulnerabilities in health data, underscoring the need for stronger, globally aligned privacy standards.
Newsletter #18
Get up to speed with the latest in data protection regulations and healthtech innovations, including updates from Brazil, the UK, and California, along with advancements in AI-driven healthcare solutions. Plus, explore major privacy enforcement actions and key developments shaping the future of digital health.