On September 22, 2023, Attorney General Phil Weiser announced a settlement with an Ohio nursing home for failing to protect the personal data of hundreds of residents and employees before and during a 2021 data breach.
In March of 2021, the nursing home in question discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, the accounts in question were not protected. The breached inboxes contained tens of thousands of emails, some of which contained personal, financial, and medical data for hundreds of current and former residents and employees, including emails containing personal data going back as far as 2016.
Despite being required under state law, the company had no written data disposal policy. The company also waited months, rather than the legally required 30 days, before notifying those affected.
Under the terms of the settlement agreement, the company will pay a fine of anywhere from $35,000–60,000 and agrees to the following:
- Develop a written paper and electronic data disposal policy as required by state law.
- Update its existing written information security program and review and update the existing information security program to ensure it is compliant with the law, meets the needs of the size and scope of the company’s operations, and addresses the vulnerabilities that led to the breach in the first place.
- Review the safeguards it has put in place on at least an annual basis.
- Develop an incident response plan.
- Submit regular compliance reports to the attorney general and cooperate with any proceedings or investigations that arise out of the state’s monitoring of the company’s operations under the agreement.
The settlement funds may be used to pay restitution, and for future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes.
Compliance Perspective
Issue
Nursing facilities must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. It also requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form, including in connection with the disposal of such information.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy and Security rules. Ensure that both federal and state regulations are included. Update these documents as new information becomes available.
- Train all staff on HIPAA, PHI, and the Privacy and Security rules, including the proper disposal of PHI. The Privacy Category of Med-Net Academy includes educational programs on the topics of HIPAA, PHI, and data security that are available to all clients. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy and Security rules are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
