
Good Morning Everyone,
National-level rulemaking, federal enforcement, and an unexpected website-tracking exposure all converged this week to remind us that “de-identified” no longer means “risk-free.” The Department of Justice has folded anonymized data into a new security regime carrying criminal penalties; OCR has penalized a small neurology practice for skipping a basic risk analysis; and Covered California is investigating how LinkedIn tags captured pregnancy and domestic-abuse answers from insurance-shopper forms. Each story underscores the same theme: technical and contractual controls must keep pace with regulators, threat actors, and marketing tech alike. Dive into the details below:
Regulatory Updates
DOJ Final Rule Pulls De-Identified Data into National-Security Net
The U.S. Department of Justice’s new Data Security Program (DSP)—effective April 8—treats anonymized, pseudonymized, and de-identified information the same as identifiable data when it is part of “bulk U.S. sensitive personal data.” Licensing or otherwise giving a country of concern (or its affiliates) access to such data—or to an AI model capable of reproducing it—can now trigger civil and criminal penalties. Contracts must be revisited to confirm CISA-level safeguards, country-of-concern restrictions, and robust risk-management clauses. Because the rule rejects HIPAA-style de-identification as outdated, data licensors, brokers, and AI developers that once relied on de-identification safe harbors should brace for increased DOJ/FTC scrutiny and tighter diligence in cross-border deals. Learn more at Baker Donelson
Enforcement Actions
Comprehensive Neurology Pays $25,000 After Ransomware Breach
The Office for Civil Rights (OCR) has reached a $25,000 settlement with Comprehensive Neurology, PC—a small New York practice—after a 2020 ransomware attack encrypted its entire network and exposed the electronic protected health information (ePHI) of 6,800 patients. OCR determined the practice failed to perform the “accurate and thorough” risk analysis required by the HIPAA Security Rule, leaving critical vulnerabilities unaddressed. Under a two-year corrective action plan, Comprehensive must complete a full risk assessment, create a risk-management program, update security policies, and retrain its workforce. This marks OCR’s 12th ransomware enforcement action—and the 8th under its Risk Analysis Initiative—highlighting that even the smallest providers face significant penalties if foundational security practices are neglected. Learn more at HHS
Data Breach Notices
Covered California Shared Sensitive Enrollment Details with LinkedIn Trackers
A CalMatters/Markup investigation found that the state’s health-insurance marketplace, Covered California, had more than 60 third-party trackers on coveredca.com—far above the state-site average of three—including a LinkedIn Insight Tag that captured visitors’ answers about pregnancy, domestic-abuse status, blindness, prescription-drug use, gender identity, ethnicity, and even selected doctors and hospitals. The data flow appears to have run from February 2024 to early April 2025, when the tag was pulled amid a vendor transition. Covered California says all advertising tags are now disabled and it has launched a site-wide privacy review. Privacy advocates warn the inadvertent disclosure of such granular health information to a for-profit platform is “concerning and invasive,” underscoring growing regulatory scrutiny of pixel-based tracking and the need for strict tag-governance on public health sites. Learn more at CalMatters
Closing Thoughts
This week’s stories drive home one point: de-identification, risk analysis, and ad-tech governance are now mission-critical. Review AI and data-licensing contracts in light of DOJ’s new rule, make sure your ransomware risk analysis is current, and audit every pixel or tag that can leak sensitive health details—small oversights now carry big regulatory and reputational costs.
Stay informed and stay secure!