The Arc of Erie County, a non-profit agency that supports children and adults with disabilities based in Buffalo, NY, was levied a $200,000 fine by the NewYork Attorney General for a HIPAA violation that saw the electronic protected health information (ePHI) of nearly 3,800 clients exposed.
In February 2018, a member of the public notified staff at the Arc of Erie County, a chapter of the The Arc Of New York, that the personal information of some of its clients was accessible through its website. Spreadsheets containing the personal information of thousands of clients could be accessed by any unauthorised individual simply be using a search engine.
An investigation was launched into the incident, and it was discovered that 3,751 clients had been affected by the breach. All of the clients were based in New York, but investigators discovered that the website had been visited by individuals based outside the United States on multiple occasions. The investigators discovered that the information accessible through the website included names, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security numbers.
The investigation into the security breach revealed sensitive information had been accessible online, from July 2015 to February 2018, when the breach was discovered. The webpage should only have been accessible by staff at the clinic through their internal access, and was supposed to be protected by log-on requirements, so only those with the correct name and password could access the data.
In accordance with HIPAA’s Breach Notification Rule, those who were affected by the breach were notified March 9, 2018. The victims of the data breach were offered a year-long subscription to a data theft protection service. Due to the size and nature of the breach, the Department of Health and Human Services’ Office for Civil Rights was informed and a breach report was submitted to the New York Attorney General’s office.
As over 500 individuals were affected by the breach, HIPAA’s Breach Notification Rule states that the media must be information of the incident. The Arc of Erie Country placed a notice in Buffalo News on March 14, and also posted information about the breach on its own website.
According to HIPAA’s Security Rule, the Arc of Erie County is required place multiple safeguards the ePHI of its clients, including technical, physical, and administrative safeguards. This is to prevent the information from being accessed by unauthorized individuals. In this instance, technical safeguards should have been in place to ensure that the data was secure online, and administrative safeguards should have prevented anybody without the correct username and password from accessing the data.
The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI. However, despite the data being accessed by a number of unauthorised individuals, there is no evidence of it being used for malicious purposes.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
The 2009 HITECH Act expanded the power of state attorneys general to pursue HIPAA violations that occur in their jurisdictions. They have the ability to levy fines against organisations that are found to be in violation of HIPAA Rules.
In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis. It is likely that this will be a very costly process for the Arc of Erie County, but it may help them in avoiding future HIPAA violations, and the hefty penalties associated with them.
A report of the risk assessment must be submitted to the New York Attorney General’s office within 180 days.