Updates to Chapter 13
Regulatory Enforcement – State
UPDATES TO THE SECOND EDITION
13.3 Illustrative State Data Security Enforcement Actions
On October 21, 2024, Connecticut’s Attorney General announced a settlement with Guardian Analytics, Inc. and its successor Actimize, Inc., resolving an investigation into a data breach that impacted the personal information of 157,629 Connecticut residents. Guardian uses behavioral analytics and machine learning to help prevent banking fraud for its client institutions. In order to utilize Guardian’s services, financial institutions need to provide customer information such as names; account numbers; and transaction information, which can include Social Security numbers. This type of data was exposed during the breach, which lasted from November 2022 through January 2023. Under the settlement, Guardian and Actimize agreed to pay $500,000 and to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:
Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information;
Implementing and maintaining strong integration practices that require onsite inspections of acquired entities;
Encrypting all personal information, whether stored or transmitted;
Conducting and documenting annual risk assessments;
Implementing and maintaining multi-factor authentication for all individual user accounts and for remote access;
Implementing and maintaining an incident response plan to prepare for and respond to security incidents; and
Obtaining an information security assessment to be conducted by a qualified third-party professional.
________________________________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION
13.3 Illustrative State Data Security Enforcement Actions
Diamond Institute for Infertility and Menopause – New Jersey
In October, 2021, New Jersey’s acting AG announced settlement of a case against a healthcare provider arising out of a data breach that compromised the personal information of 14,663 patients. The state alleged violation of both the New Jersey Consumer Fraud Act, N.J.S.A. 56:8-1 et seq., and the HIPAA Privacy and Security Rules. It cited 20 specific ways in which Diamond fell short, including:
failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;
failing to implement a mechanism to encrypt ePHI;
failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;
failing to implement proper procedures for creating, changing, and safeguarding passwords;
failing to implement a written contract or other arrangement with three business associates to document that it had obtained satisfactory assurances that the business associates will appropriately safeguard the ePHI; and
failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.
The company agreed to pay $495,000 and implement new data security measures to include:
developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;
training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;
developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and
implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.
Last updated: October 29, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.