UPDATES TO THE SECOND EDITION

13.3 Illustrative State Data Security Enforcement Actions 

In cybersecurity cases, states may invoke multiple types of laws. Illustrative are the proceedings brought by 33 states against Inmediata Health Group, LLC. The states alleged that PHI maintained by Inmediata had been available online and had been indexed by search engines. As a result, sensitive patient information could be viewed and potentially downloaded by anyone. Moreover, the states alleged that Inmediata delayed notification to impacted consumers and sent misaddressed notices and, further, the notices were far from clear. The attorneys general alleged that Inmediata violated state consumer protection (UDAP) laws, state breach notification laws, state reasonable security laws, and HIPAA by failing to implement reasonable data security and failing to provide affected consumers with timely and complete information regarding the breach. (See, for example, the Connecticut complaint.) Under the settlement, Inmediata agreed to strengthen its data security and breach notification practices, including implementation of a comprehensive information security program with specific security requirements include code review and “crawling controls,” development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years. See updates to Chapter 11 for a description of the HHS OCR case against Inmediata.

13.3.1 Broadly-Scoped Cases Under State UDAP or Reasonable Security Laws 

New York – National Amusements (December 2024)

In December 2024, the New York attorney general settled with National Amusements, a movie-theater operator in New York, for $250,000. A hacker obtained information, including Social Security Numbers and driver’s license numbers, of employees by logging into National Amusements’ systems via an employee credential. National Amusements had cybersecurity measures in place: it implemented multi-factor authentication, but did not implement it for VPN access, and it typically encrypted Social Security Numbers, but some were unencrypted. The AG alleged that National Amusements violated Executive Law § 63(12)’s prohibition on business illegality and fraud, as well as the General Business Law provisions on data security and breach notification (Gen. Bus. L. §§ 899-aa, 899-bb). Under a settlement, National Amusements committed to a list of general and specific measures, including regularly assessing and documenting the sufficiency of its cybersecurity safeguards, rotating passwords, and conducting penetration testing.

New York – Auto Insurance (GEICO, Travelers, Noblr) (November & December 2024)

New York reached settlements with three auto insurance companies. All three used web-based quote-generating tools, some consumer-facing, some for use by insurance agents, that exposed driver’s license numbers. The user (whether consumer or agent) was prompted to provide an individual consumer’s name, date of birth, and address, in response to which the tool retrieved the driver’s license number (DLN) associated with the consumer in order to populate a form. Through a variety of flaws in the tools, threat actors were able to obtain DLNs. For example, while the GEICO tool partially masked the DLN on the end user's browser, the full DLN was exposed in plaintext as it was transmitted to the browser. Also, GEICO's consumer-facing quoting tool exposed full DLNs in plaintext in responses to two API calls intended for agent-side use. Some of the compromised DLNs were used to file fraudulent unemployment claims. For its part, Travelers secured its portal for agents by only username and password, without multi-factor authentication (MFA). In April 2021—one week after DFS issued an alert warning that threat actors had started aggressively targeting agent portals with credential stuffing attacks—threat actors gained access to the agents’ portal using compromised credentials and obtained tens of thousands of DLNs.

In November 2024, the New York Attorney General and the Department of Financial Services settled with GEICO ($9.75 million in penalties ) and the Travelers Indemnity Company ($1.55 million). In December 2024, New York’s Attorney General settled with Noblr Reciprocal Exchange, another auto-insurance company, for $500,000 after a threat actor breached personal information through Noblr’s quote-generation tool.

The regulators alleged that all three companies violated Executive Law § 63(12), which prohibits repeated fraud and illegality by businesses, and General Business Law § 899-bb, which requires companies to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information of NY residents. The three companies reached similar settlements with the state. Among other measures, GEICO committed to developing policies “designed to ensure secure software development lifecycle practices for web-based, mobile, or other applications—whether public-facing, credential-based, or internal.” Travelers committed to implementing multi-factor authentication or an equivalent. Noblr committed to developing and annually updating a data inventory identifying when Noblr collects private information and tracking the complete path of all data flows involving personal information, including API calls. The cases suggest that all entities maintaining web interface tools need to do the same.

Connecticut - Guardian Analytics, Inc. (Oct. 2024)

On October 21, 2024, Connecticut’s Attorney General announced a settlement with Guardian Analytics, Inc. and its successor Actimize, Inc., resolving an investigation into a data breach that impacted the personal information of 157,629 Connecticut residents. Guardian uses behavioral analytics and machine learning to help prevent banking fraud for its client institutions. In order to utilize Guardian’s services, financial institutions need to provide customer information such as names; account numbers; and transaction information, which can include Social Security numbers. This type of data was exposed during the breach, which lasted from November 2022 through January 2023. Under the settlement, Guardian and Actimize agreed to pay $500,000 and to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:

• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information;

• Implementing and maintaining strong integration practices that require onsite inspections of acquired entities;

• Encrypting all personal information, whether stored or transmitted;

• Conducting and documenting annual risk assessments;

• Implementing and maintaining multi-factor authentication for all individual user accounts and for remote access;

• Implementing and maintaining an incident response plan to prepare for and respond to security incidents; and

• Obtaining an information security assessment to be conducted by a qualified third-party professional.

New York – Albany ENT & Allergy Services (October 2024)

In 2023, Albany ENT & Allergy Services (AENT) was subject to two ransomware attacks within 10 days, involving information of more than 200,000 patients. The New York Attorney General investigated and found numerous cybersecurity lapses, including failure to adequately monitor vendors responsible for IT and infosec functions, identify and encrypt PI, timely install patches, monitor logs, adopt MFA, and accurately perform security risk analyses. The AG alleged violations of Executive Law § 63(12), on “repeated fraudulent or illegal acts” by businesses and, under the General Business Law, §§ 349 (making deceptive acts or practices unlawful), 899-aa (on breach notifications) and 899-bb (requiring reasonable safeguards). AENT settled, agreeing to make numerous improvements in its cybersecurity (along with a promise to invest $2.25 million to improve its cybersecurity) and to pay a $500,000 penalty. Commitments, similar to those found in many FTC settlements, included maintaining a comprehensive information security program and appointing a qualified person to lead it; inventorying and encrypting all personal information; monitoring and logging; and implementing “reasonable written policies and procedures to oversee IT and InfoSec vendor performance of any security functions and/or PI privacy obligations (arising by contract or law).”

Multistate (49 States & D.C.) – Marriott Hotels (October 2024)

Hotel giant Marriott International Inc. reached a $52 million settlement with fifty attorneys general (of every state but California plus the District of Columbia) related to data breaches between 2014 and 2018. The breach resulted from years-long vulnerabilities in the systems of Starwood Hotels and Resorts Worldwide; intruders had already accessed Starwood’s networks when Marriott acquired it in 2016. As a result of the intrusions, 131.5 million records of guests in the United States were breached. This information included payment information, names, dates of birth, reservation details, and passport numbers. Eight states—Connecticut, Maryland, Oregon, Illinois, Louisiana, Massachusetts, North Carolina, and Texas—plus the District of Columbia led the investigation.

In identical settlements, the state attorneys general cited their consumer protection laws, data breach notification laws, and/or laws requiring reasonable security measures. Connecticut, for example, cited the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. §§ 42-110b, et seq.), the state’s breach notification law (Conn. Gen. Stat. § 36a701b), and its law on the safeguarding of personal information (Conn. Gen. Stat. § 42-471). Marriott agreed to a series of cybersecurity measures, including:

• implementing principles and controls for critical IT vendors, including monitoring for all points of connection to Marriott and its databases;

• conducting an annual risk assessment;

• providing a data-deletion option to consumers; and enlisting a third party to audit Marriott’s security programs every two years for the next 20 years.

Multistate (New York, Connecticut, New Jersey) – Enzo Biochem (August 2024)

Enzo Biochem, Inc., a New York-based company that operates bio-testing labs, agreed in August 2024 to pay $4.5 million to three states: New York, Connecticut, and New Jersey. Attackers breached Enzo’s network in April 2023 through two administrator accounts, accessing patient files, installing malicious software, and encrypting Enzo’s systems via ransomware. The New York Attorney General found that Enzo’s data security program was deficient in several areas, including in its failure to encrypt patient data. New York alleged that Enzo violated New York’s General Business Law §§ 899-aa and 899-bb and the Health Insurance Portability and Accountability Act (HIPAA) regulations. Enzo’s commitments in the settlement include implementing multifactor authentication; conducting annual risk assessments; encrypting consumer personal information; and adopting Endpoint Detection and Response solutions or software of “the highest technical level available.”

New York – HealthAlliance (December 2024)

In December 2024, the New York attorney general secured a settlement with HealthAlliance, a health care provider, for failing to properly protect personal and medical information. In July 2023, a vendor for HealthAlliance’s web applications released a cybersecurity alert and instructed its clients to take action to patch a vulnerability in its system. While HealthAlliance was aware of the vulnerability, it was unable to apply the patch due to technical issues. Instead of taking the product offline, it continued to operate it with the vulnerability while it worked with support teams to diagnose and address the problem. Meanwhile, cyber-attackers were able to exploit the vulnerability and steal sensitive information, including patient records and employee information. The AG found that respondent’s conduct violated Executive Law § 63(12), which prohibits illegal practices in the conduct of any business, and GBL § 899-bb, which requires any person or business that owns or licenses computerized data which includes the private information of a resident of New York to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The respondent agreed to pay a penalty and to adopt a series of additional security measures to restrict and monitor network activity, including:

• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information; 

• Developing and maintaining data inventory, which must be updated annually;

• Maintaining and enforcing a patch management policy;

• logging and monitoring; and

• offering free identity-monitoring services to affected consumers, including for children.

California – Blackbaud (June 2024)

California sued Blackbaud, Inc., a South Carolina-based corporation, alleging that the company not only “failed to use appropriate information security practices to protect consumers’ personal information resulting in a 2020 data breach” but also “compounded the impact of the breach when it made unfair, deceptive, untrue, and misleading statements about its security practices at the time of the breach and in downplaying the severity of the data breach.” People v. Blackbaud, Inc., No. 37-2024-00027643 (Super. Ct. Cal. 2024). (California did not join a lawsuit by every other state and the District of Columbia against Blackbaud based on the same data breach; in that case, Blackbaud agreed in October 2023 to pay a $49.5 million settlement.)

In its lawsuit, California alleged that Blackbaud violated two state laws: the Unfair Competition Law (Cal. Bus. & Prof. Code §17200 et seq.) and the False Advertising Law (§17500 et seq.). Blackbaud allegedly violated the “unlawful” prong of this UCL because another state law (Cal  Civ. Code § 1798.81.5) requires businesses in California to protect “personal information.” Blackbaud also ran afoul of the UCL, according to California, by “making false, deceptive, or misleading statements regarding its security measures in place at the time of the data breach and its statements regarding the data breach.” The complaint alleges that Blackbaud violated California’s False Advertising Law (§17500 et seq.) by making similar statements to the public.

California and Blackbaud reached a $6.75 million settlement. Under its terms, Blackbaud agreed to a nine-part injunction, with fifteen “specific technical safeguards and controls.” Blackbaud’s commitments include:

• Implementing a written incident response plan;

• Conducting twice-yearly table-top exercises to respond to cybersecurity incidents;

• Segmenting and micro-segmenting its network;

• Detecting threats through Endpoint Detection and Response (EDR);

• Implementing password-protection measures on its accounts, such as multi-factor authentication or tokens; and

• Appointing new cybersecurity personnel, including a Patch Management Group.

Florida – Medical Devices with “Backdoors” (June 2025)

A novel investigation by Florida’s AG is noteworthy: On June 16, 2025, Florida’s AG announced that his office had issued subpoenas to Contec, a Chinese company that sells medical devices, and Epsimed, a U.S. company that resells such devices. In a press release, the attorney general’s office alleged, “There is evidence that Contec, a Chinese manufacturer of patient monitors that has conducted business in the U.S. for over a decade, concealed serious security problems in its products.”

The AG claims that both companies may have violated Florida’s Deceptive and Unfair Trade Practices Act, including through Contec’s false representation that its devices were FDA approved and through both companies’ assurances of security. In particular, the Attorney General noted concerns that the devices include “backdoors” that, without a patient’s knowledge, send sensitive medical data to a Chinese university.  This allegation echoes a warning, published in January 2025, from the federal Cybersecurity & Infrastructure Security Agency, which found an “embedded backdoor function” in three Contec models.

13.3.4 State Enforcement under HIPAA

New York – Refuah Health Center, Inc. Ransomware Attack (January 2024)

In January 2024, New York Attorney General Letitia James announced a $1.2 million settlement (plus $450,000 in penalties) with Refuah Health Center. A ransomware attack on the company exposed names, Social Security Numbers, and insurance information of several hundreds of thousands of patients. Intruders accessed internal cameras at the health center via a four-digit passcode, then used decade-old credentials of an IT vendor who no longer worked there to access patient information. New York alleged that Refuah violated the HIPAA Security Rule and Breach Notification Rule, 45 C.F.R. Part 164 Subpart D, as well as New York’s General Business Law 899-aa, which requires notifications of data breaches, and 899-bb, requiring “reasonable safeguards to protect the security, confidentiality and integrity of the private information.” Under the settlement, Refuah committed to cutting off access to data for former employees or employees whose responsibilities have changed; encrypting consumer personal information; and providing notice of the 2021 breach to all consumers within 90 days of the effective date of the settlement.

Indiana – Personal Health Information from a Dental Company Breach (December 2024)

In December 2024, Indiana sued and settled with Westend Dental, an Indianapolis-based company, for its handling of personal health information and deceptive statements following a data breach and ransomware attack in October 2020. According to the Indiana attorney general, Westend attempted to cover up the ransomware incident and denied that a data breach occurred until January 2023. The AG alleged violations of HIPAA breach notice and security rules, by failing to notify patients of the breach within 60 days or to protect personal information from such breaches, as well as disclosing personal information of patients without authorization—for example, in response to public online reviews. The complaint also alleged violations of state law: the Indiana Disclosure of Security Breach Act (Ind. Code § 24-4.9 et seq.), which requires that database owners implement “reasonable procedures” for information security and provide notices of breach, and the Indiana Deceptive Consumer Sales Act (Ind. Code § 24-5-0.5 et seq.).

The parties entered a consent order on December 19, 2024, under which Westend committed to:

• Overseeing third-party vendors “who have access to the Westend Dental Network, or who hold or store ePHI and/or PI on Westend Dental’s behalf;”

• Training employees and contractors “who handle PI, PHI, and/or ePHI”;

• Refraining from disclosing any PHI on social media and deleting any existing posts that previously have done so; and

• Enlisting a third-party HIPAA assessor to report on Westend’s compliance with HIPAA Rules.

See also the multi-state settlement with Enzo Biochem, Inc., discussed in Subchapter 13.3.1.

13.3.5 Enforcement of New York’s Financial Services Regulation

In January 2025, the New York State Department of Financial Services announced a $2 million settlement with PayPal, Inc. At issue was a 2022 breach in which threat actors accessed Form 1099-Ks that included unmasked Non-Public Information (NPI). The department alleged that PayPal violated the state’s cybersecurity regulation for financial services, 23 NYCRR § 500.3(d), (i), and (k). Violations included failing to employ and continuously train qualified cybersecurity professionals to manage cybersecurity, as well as failing to protect NPI.

The settlement specifically noted that, in assessing the penalty, the Department took into account PayPal’s “commendable cooperation” throughout the investigation. The Department also “recogniz[ed] and credit[ed]” PayPal’s efforts to remediate the issues identified in consent order, beginning immediately after it discovered the vulnerability. In particular, the settlement noted that PayPal had implemented CAPTCHA and multi-factor authentication and offered new training. The settlement required compliance with the law but did not specify additional cybersecurity obligations.

________________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

13.3 Illustrative State Data Security Enforcement Actions

Diamond Institute for Infertility and Menopause – New Jersey

In October, 2021, New Jersey’s acting AG announced settlement of a case against a healthcare provider arising out of a data breach that compromised the personal information of 14,663 patients. The state alleged violation of both the New Jersey Consumer Fraud Act, N.J.S.A. 56:8-1 et seq., and the HIPAA Privacy and Security Rules. It cited 20 specific ways in which Diamond fell short,  including:

• failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;

• failing to implement a mechanism to encrypt ePHI;

• failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;

• failing to implement proper procedures for creating, changing, and safeguarding passwords;

• failing to implement a written contract or other arrangement with three business associates to document that it had obtained satisfactory assurances that the business associates will appropriately safeguard the ePHI; and

• failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.

The company agreed to pay $495,000 and implement new data security measures to include:

• developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;

• appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;

• training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;

• developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and

• implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.

Last updated: July 29, 2025.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.