On August 13, 2024, the Attorneys General of New Jersey, New York, and Connecticut secured $4.5 million from a biotechnology company which failed to adequately safeguard the personal and protected health information (PHI) of its patients. The company offers diagnostic testing at its laboratories in New York, Connecticut, and New Jersey.
An investigation found that it had deficient data security practices, which led to a 2023 ransomware attack that compromised the personal and private information of approximately 2.4 million patients nationwide, including about 331,600 New Jersey residents. As a result of the agreement, the company will pay $4.5 million, of which New Jersey will receive more than $930,000, and will strengthen its data security practices.
In 2023, cyberattackers were able to access the company’s networks using two employee login credentials. The multistate investigation later found that those two login credentials were shared between five employees and one of the login credentials hadn’t been changed in the last ten years, putting the company at heightened risk of a cyberattack.
Once logged in, the attackers installed malicious software on several of the company’s systems. However, the company was not aware of the attackers’ activity until several days later because it did not have a system or process in place to monitor or provide notice of suspicious activity. Consequently, the attackers were able to steal files and data that contained patient information for 2.4 million patients, including names, addresses, dates of birth, phone numbers, Social Security numbers, and medical treatment/diagnosis information.
The multistate coalition alleged that the breach violated the Health Insurance Portability and Accountability Act (HIPAA) as well as the New Jersey Consumer Fraud Act, which prohibits unfair and deceptive practices. In addition to the financial penalties, the company agreed to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Implementing and maintaining policies and procedures that limit access to personal information;
- Implementing and maintaining multifactor authentication for all individual user accounts;
- Establishing and maintaining policies and procedures that require using strong, complex passwords and password rotation;
- Encrypting all personal information, whether stored or transmitted;
- Conducting and documenting annual risk assessments; and
- Developing, implementing, and maintaining a comprehensive incident response plan for potential data security issues.
Compliance Perspective
Issue
The HIPAA Security Rule mandates that covered entities implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI). Covered entities must maintain reasonable and appropriate safeguards to protect ePHI, ensuring its confidentiality, integrity, and availability. They are required to identify and protect against reasonably anticipated threats to the security or integrity of the information, guard against reasonably anticipated impermissible uses or disclosures, and ensure compliance by their workforce. Additionally, the Administrative Safeguards provisions of the Security Rule require covered entities to conduct risk analysis as part of their security management processes. This risk analysis should be an ongoing process, involving regular reviews of records to track access to ePHI, detection of security incidents, periodic evaluation of the effectiveness of security measures, and regular reassessment of potential risks to ePHI.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Security Rule. Ensure that they address how to secure ePHI and how to regularly update login credentials and passwords.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments. Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Make sure staff know not to share login credentials and that login credentials and passwords should be regularly updated.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Security Rule are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted, and that login credentials are being updated on a regular basis.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
