– The New York Attorney General has levied a $200,000 fine on Arc of Erie County for a HIPAA violation that exposed ePHI on 3,751 clients.

The Buffalo-based nonprofit, which provides services to people with developmental disabilities, exposed clients’ personal information on the internet from July 2015 to February 2018, affecting 3,751 New York clients, according to a press release from the attorney general’s office.

Personal information that was exposed on the website included full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages.

A report by a forensic investigator confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets containing clients’ sensitive information. The exposed webpage was intended only for internal use and was supposed to be protected by a log-in requirement.

The report also found that unknown individuals outside the country accessed the links with the sensitive information on many occasions. However, there was no evidence of malware on the system or any ongoing communications with outside IP addresses.

In addition to the $200,000 fine, Arc of Erie County is required to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and review its policies and procedures. It must submit a report on the security assessment to the attorney general’s office within 180 days.

Arc of Erie County must also review and revise its policies and procedures based on the results of the assessment and notify the attorney general’s office of any action it takes. If no action is taken, the company must provide a written detailed explanation of why no action is needed.

On March 9, the Buffalo-based nonprofit notified affected clients in New York that the organization had inadvertently disclosed their sensitive information. It also provided victims a free one-year subscription to an identity theft protection service. The organization posted a link to information regarding the breach on its website and a notice in the Buffalo News on March 14.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said Attorney General Barbara Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

The 2009 HITECH Act expanded the authority of state attorneys general to pursue HIPAA violations. In March of this year, New York Attorney General Eric Schneiderman announced a $575,000 HIPAA fine against EmblemHealth for a data breach that exposed more than 80,000 Social Security numbers of patients. Schneiderman resigned in May after four women accused him of assault.

EmblemHealth discovered on October 13, 2016, that it had mailed policy holders a paper copy of their Medicare Prescription Drug Plan Evidence of Coverage (EOC Mailing). The EOC Mailing included a mailing label that had the policyholder’s Social Security number on it.

“Our investigation found that, while preparing the Evidence of Coverage documents for mailing, [Health Insurance Claim Numbers] were inadvertently included in the electronic file sent to EmblemHealth’s vendor and were then disclosed on the external mailing label that was affixed to the package,” the data breach notification letter said.

In April, New Jersey Attorney General Gurbir S. Grewal assessed a $418,000 HIPAA fine on Virtua Medical Group because of a vendor’s server misconfiguration that exposed PHI on 1,654 patients.

Virtua, a network of more than 50 South Jersey medical and surgical practices, reported the incident in March 2016. The breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at Virtua, updated software on a website where the documents were stored.

During the update, the vendor misconfigured a password-protected file transfer protocol (FTP) server, allowing the site to be accessed without a password.

Anyone who searched Google using terms that were contained in the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP site, the state’s investigation found.

By Fred Donovan (healthitsecurity.com)

If you are concerned about your organization’s HIPAA compliance please contact us as soon as possible.