New York Attorney General Letitia James announced on October 18, 2023, that she had secured $350,000 from a Long Island-based home healthcare company for failing to protect vulnerable New Yorkers’ personal information and healthcare data. According to the press release, the home healthcare company’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. The data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required the company to adhere to specific data protection practices.
The company has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising the home healthcare company’s employees’ data.
The home healthcare company is the parent company of subsidiaries that operate Medicare-certified home health, home care, and hospice-at-home services throughout the country, including in New York City, Westchester, and Long Island. In January 2021, a company employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to its network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.
The Office of the Attorney General’s (OAG) investigation determined that the company failed to maintain reasonable data security safeguards to protect patient and employee data and its information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.
During the OAG’s investigation, the company was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. The company had provided this data to its insurance broker, who provided the data to an enrollment software vendor which placed the data on an unsecured site. The company did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with the software vendor for failing to secure this information. Under the terms of the software vendor’s agreement with the OAG, the vendor must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information.
As a result of the agreement, the home healthcare company will pay $350,000 in penalties and offer affected consumers free identity theft protection and recovery services. In addition, the company will be required to enhance its information security program and implement safeguards to better protect its employees’ and patients’ personal and health information, including:
- Maintaining a comprehensive information security program that includes regular risk assessments, regular testing and monitoring of existing safeguards, and regular updates to the information security program;
- Maintaining reasonable access control and authentication procedures;
- Encrypting personal and health information;
- Implementing a continuous logging and monitoring system, anti-malware protections, an intrusion detection and prevention solution, and an email filtering and phishing solution;
- Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing;
- Updating its data collection, retention, and disposal practices to ensure that personal and health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes;
- Conducting annual employee security training; and
- Establishing reasonable vendor management procedures.
Compliance Perspective
Issue
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The HIPAA Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. It also requires the implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, protected health information (PHI), the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to ensure agreements with vendors include data security standards.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
