False Verkada HIPAA Compliance And Legal Risks Investigated
Verkada has repeatedly and falsely claimed to be certified HIPAA Compliant, with a HIPAA consultant telling IPVM Verkada's actions are a "HIPAA disaster" while Verkada refused to provide any explanation for its HIPAA compliant claims.
Inside this note, from the fallout of the Verkada breach/hack, we examine:
- What Verkada has claimed
- Verkada's response to IPVM
- What HIPAA consultant Abner Weintraub says about the hack and their compliance
- What issues exist for Verkada and its HIPAA covered client
Verkada's ***** ******
******* ***** ******** ****** ****** ** HIPAA **********. *** *******'*"******* ********** ****" ************ **** *** '*********' ** ** HIPAA *********:
*** *****"********** & ******** ***********" **************** ******** **** *************:
*** ***** ** *********** **** ******* ********** ************ *******:
*** ******* ********** ****** ********* ********, ***** ******** "***** ********* ********" from *******:
***** * ******** ******** * **** ****** *** ******* hack/breach:
**** ******** * ********* ********************** ***** ********* **** *******:
******,*******'* *** ***** ******** ********** *********** "********* ****** ***** ******* ** be ********* **** *****":
**’** ********** ******* ***** ******* *** cyber ******** — ** ****, ****’* part ** *** **’** **** ** successful. *** *******, ****** **** ** an ******** ******* *** ** ******* we ***conscious ****** ***** ******* ** ** ********* **** *****. [emphasis added]
Verkada = ***** ******** *********
*******, ********** ***** ********* **** *******,**** **** **** ********** **** ********* that **** **** * ***** ******** associate *** **** ****** **** *****:
No ***** ** ******* *** ******* ***** ********** ******
******* ****** ** ****** *****, *******, source, **********, *************, ** ***** ********** for *** ***** ********* ******. ********, we ********** ***** ******* *** **** evidence *** ***** ******* *** ******* a ******* ********, **** ******* ** address *** **** ** *****.
** ********, ********* **** *** ************* * ******* **** *** * data ****** ********** ***** *************** ***** HIPAA *********, *******:
*** ******* ******* *********** ********* ** by *********** **** * ********** ****** or ***** ***** *** ******** ******’* information ********* *** ********** **** *** HIPAA’s ************.
Violations ** *****
**** *******'* ***"******** ***** *********"********, *** *********** ***** ********** *** a ***** *** ** ****
*****, ******* ****** ******** *** "******* necessary ***********", ** ***** *****:
*******, *******'****-******** ***** ***** ********, ** **********, ********** ***** ***** of '******* *********' ***********.
********, ***** ******* ********** *** **** to ****** **** ** *********** ****** to *** ***** *******, ** ************** has ******** ** ***** ****** ** its *** ********* ****** ** ******** systems *** ***** *****:
*******, ******* ****** **** ********* "************* audit ****" ******* **** ** ** HIPAA *********:
*******, ***** ******* *** **** ***** logs **********, *** ~*** ** ** employees **** ***** ***** ******** **** could *** ** ** ****'* ******** were *** ******** ****** *** ********* to *****.
"A ***** ********"
********* **** *** ******* **** ** "a ***** ********" **** *** "****** at *** ***** ** ***** ********, the **** ********, ** ***** ****** admin ********."
**'* ** ********** *** * ******* to ** ******** ****** ***** *** sophistication *** ************* ******* ** ** doing **** **** *** *** ******** their ******* ** *** *** **** they ***. *** **** ****** *** media ******* **** *** ***** ******** abuse ** ***** ** ***** *** systems ******* ***** *** *********. **'* just * *******. ****, * ******'* trust **** **** ** ******** ** this *****, ** *** *** *****. I ******'* ***** **** ********.
*** ********** **** ******* *** *** track ****** ********** ********** ** *** *******'* *** employees******* ********** **** **** ****** **** breach *** *******:
** * ****** **** ******** *** been ****, *** **** ** ******* cameras ** ******* ***** ********* ** a ***** ***** *** *** ******* been ***** *** ***** ***** *** cameras ** ****** ***** *** ********* - ** ***** *****, * **** of ******** ** *** ****** *** obvious, *** *** ** *** ***** freely, ****** ********* ** ****** *** looked - *** **** ** ******* those ******* ** ******* ***** ******** an ******** **** **** ****** **** been ********** ** *** ********** **** analysis.
***********, ** **** "******* *** ************** ******* ******* **** ** ********, and ***** ** ****** ** ** penalized -- ********** ** *******."
**'* *** **** ******* **** ***** face ************, *** ***** ********* ** well. ********* ** *********, "** **** was ******** **********, ********* ** *** letter ** *** ***, ** ***** represent ******** ** ******* ** *****. And ***** **** **** ***** * few ************ ****** ********* ****** [*** HIPAA **********]."
Legal **** ** *******
***** *******'* ***** ********** *** ** substantial, *** *********** ** ***** ********* will ***** ** *** ******* **********'* current *********** ******. *** ****** ** Civil ****** (***) ** *** ********** of ****** *** ***** ******** ** responsible *** ****** ******* ***** *********; according ** *********, *** *********** *** been "**** *****" ** ****** *****.
*******, *** ***** ** ******* **** can ***** *****-******* ******* ** ***** has ******** ** ****** ***** ***. Not **** *** ***** ******** **** as *** *** ***** ******* *** HIPAA **********, *****-***** ********* ******* *** as ****.
Response **** *******
******* ******** * ******* ******** ** IPVM ***** ********* *********:
*** ************* ** *******. ** ******** our ********* ** *** ******** ******** and *** ******* **** ******** ********* to ********* ****, ** ***, ********* health *********** *** **** **** ******* in **** ******.
******* ******* ** ******* *** ** justified ** ***** *** ***** ********* marketing ******.
***** ** *** ******* ** *** security ***** * **** **** *** most ******* **** ** *** ***** article:
** * ****** **** ******** *** been ****, *** **** ** ******* cameras ********* ***** ********* ** * third ***** *** *** ******* **** noted *** ***** ***** *** ******* to ****** ***** *** ********* - in ***** *****, * **** ** controls ** *** ****** *** *******, and *** ** *** ***** ******, freely ********* ** ****** *** ****** - *** **** ** ******* ***** cameras ********* ***** ******** ** ******** risk **** ****** **** **** ********** in *** ********** **** ********.
** ******** *************, ** **** ****** our *********, *********, *** ***** ** supporting ********* **** *******. ** ** up ** ** ** ************* ** make ******* ******* *** ****** ********** power ** ********* *** ****** ** move **** **.
** ******** *************, ** **** ******
**'* * **** ***** *** * agree ****'* ** ***** **** ****** who ***** ** ************** ******** **** are **** "**** **** ******* ****** harassment ** ***** *** ********* ***** media ******** ****** *** ******* *** they **** **** ** **** *** sorry *** ** ***'* ****** *****. So ****** **** ** **".
**** ** **** *** **** **.
**********: **** **** ** ** ***** a ****** ***
**** **** * ****** ***** **** not ******* ******** ** ***** *********. Even *** ***** ************** *** ****** (e.g. ***********) **** *** ******* ** endorsed ** *****. ***** ********* ** one *****, ********* ** *******.
*** ******** ***** **** ** ***** correct, ***** ** ** ******** ***** certification. ***** *** *****-******* **** **** review * ******* *** ********** *** provide ***** *** ********** ************* *** customers. *** **** ** ***** ** be "*********" ** ***** ********* ** a *****-***** ** *********. *** ** far ** ** **** (** ***** Verkada, **** ****'* ******), ******* ** not ********* ** * *****-***** ****.
**** **** *'** ****, * *****. There's ** **** ***** ** ***** certification. ****** **** *** ** **.
*'* ** ***** ****** *** *** certain ** *** ******** ******** ** this ****** *** *** ******* **** -***** ****** *** *********: *******, ********, and ****** ************ *****- ******** **** ****** *** ***** compliance.
******* ****, **** ***** *** ***** to ******* ** ****** *** ***********(*) that ******** ******* ** *** "******** associate," (*******) ******.
** ** * ********** ** *** actual ********** ******** ** *********** *** maintaining ***** ********** *** ** ** that ******** *** *** ** **** liable *** ******* ** ******. ******** these ******* **** ******* **** ****** is * ********* *** *** ******** and ******* ** ** **** *** cameras *** ** ***** (** **** as *** *** ***** ******* ******** and ******** ** *** *****.)
*** ********/******* ************ *** **'* ********* are ** ****** ********** *********** ** protect *** **** ** ***** ******** in ********** **** *** ********** *** compliance ************, ********* *********** *** ***** by *****.
**** ******** *******, *** ******* *** user ********* ******* *** ****** ** not **** ******* ***** ********** ************, but ** **** *** ******* ******* them.
**** ** * ****** *** *** claim ***** **********, *** ********** *********** would ** **** ** ****** ** not ***** ** ********* ******* *** general ******* ** ** ************* ******* data. ******* ** ***** **** *** expect **** ****** ** ********* ********* Federal ******* **** *** ******* *** privacy ** *** "*********"!
******* ********* *** ********* ** *** end ***** ******** ********* *******, *** privacy ** ***** *********, *** ***** customers ** ******* **** ******* ***. But *** **** ****, **** **** improperly ******* **** *** ******** *** services **** ******* ********* ***** ** a *** ********** ** ***** *******. The ***** ** ****** ** *** of ***** **** ***** *** ***** mess ************ ** ** *******.
******: ******* *** ******* ********* *** HIPAA '*************'* ******, *.*.:
*** *******'*"********** & ******** ***********" ***************** ****** ***** ** * ******** that "******* ******* *** ********* *******":
*** **** *** ****** ****** **** Verkada ** ********* **** ***** *********, but ***** *** ******* ** *************:
****'* ****** ** *** **** *** compliant ******* **** ** *** ********* ... ********* ** *** *****. ***, when ***** ***** *** *** *** this...
******* ** **** ** ********* ***** compliance ** **** ******** **:
*****, **** ****!
**** ** ** ********* ************* ** the"**** ** ****" ***** ** *******. **** **, **** *** ******** it ***** ** *** *** ****, even ** **** ** ******* ******** to ** ********* *** ***** ********** while ****** ****** ** ***** ********* access ** ***** *******.