Updates to Chapter 13

Regulatory Enforcement – State

UPDATES TO THE SECOND EDITION

13.3 Illustrative State Data Security Enforcement Actions 

In cybersecurity cases, states may invoke multiple types of laws. Illustrative are the proceedings brought by 33 states against Inmediata Health Group, LLC. The states alleged that PHI maintained by Inmediata had been available online and had been indexed by search engines. As a result, sensitive patient information could be viewed and potentially downloaded by anyone. Moreover, the states alleged that Inmediata delayed notification to impacted consumers and sent misaddressed notices and, further, the notices were far from clear. The attorneys general alleged that Inmediata violated state consumer protection (UDAP) laws, state breach notification laws, state reasonable security laws, and HIPAA by failing to implement reasonable data security and failing to provide affected consumers with timely and complete information regarding the breach. (See, for example, the Connecticut complaint.) Under the settlement, Inmediata agreed to strengthen its data security and breach notification practices, including implementation of a comprehensive information security program with specific security requirements include code review and “crawling controls,” development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years. See updates to Chapter 11 for a description of the HHS OCR case against Inmediata.

On October 21, 2024, Connecticut’s Attorney General announced a settlement with Guardian Analytics, Inc. and its successor Actimize, Inc., resolving an investigation into a data breach that impacted the personal information of 157,629 Connecticut residents. Guardian uses behavioral analytics and machine learning to help prevent banking fraud for its client institutions. In order to utilize Guardian’s services, financial institutions need to provide customer information such as names; account numbers; and transaction information, which can include Social Security numbers. This type of data was exposed during the breach, which lasted from November 2022 through January 2023. Under the settlement, Guardian and Actimize agreed to pay $500,000 and to adopt a series of measures aimed at strengthening its cybersecurity practices going forward, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information;

  • Implementing and maintaining strong integration practices that require onsite inspections of acquired entities;

  • Encrypting all personal information, whether stored or transmitted;

  • Conducting and documenting annual risk assessments;

  • Implementing and maintaining multi-factor authentication for all individual user accounts and for remote access;

  • Implementing and maintaining an incident response plan to prepare for and respond to security incidents; and

  • Obtaining an information security assessment to be conducted by a qualified third-party professional.

13.3.1 Broadly-Scoped Cases Under State UDAP or Reasonable Security Laws

In December 2024, the New York attorney general secured a settlement with HealthAlliance, a health care provider, for failing to properly protect personal and medical information. In July 2023, a vendor for HealthAlliance’s web applications released a cybersecurity alert and instructed its clients to take action to patch a vulnerability in its system. While HealthAlliance was aware of the vulnerability, it was unable to apply the patch due to technical issues. Instead of taking the product offline, it continued to operate it with the vulnerability while it worked with support teams to diagnose and address the problem. Meanwhile, cyber-attackers were able to exploit the vulnerability and steal sensitive information, including patient records and employee information. The AG found that respondent’s conduct violated Executive Law § 63(12), which prohibits illegal practices in the conduct of any business, and GBL § 899-bb, which requires any person or business that owns or licenses computerized data which includes the private information of a resident of New York to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The respondent agreed to pay a penalty and to improve its data security practices, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information; 

  • Developing and maintaining data inventory;

  • Maintaining and enforcing a patch management policy; and 

  • Adopting a series of additional security measures to restrict and monitor network activity.

    ________________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

13.3 Illustrative State Data Security Enforcement Actions

Diamond Institute for Infertility and Menopause – New Jersey

In October, 2021, New Jersey’s acting AG announced settlement of a case against a healthcare provider arising out of a data breach that compromised the personal information of 14,663 patients. The state alleged violation of both the New Jersey Consumer Fraud Act, N.J.S.A. 56:8-1 et seq., and the HIPAA Privacy and Security Rules. It cited 20 specific ways in which Diamond fell short,  including:

  • failing to conduct an accurate and thorough risk assessment of potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI;

  • failing to implement a mechanism to encrypt ePHI;

  • failing to review and modify security measures as needed to continue reasonable and appropriate protection of ePHI;

  • failing to implement proper procedures for creating, changing, and safeguarding passwords;

  • failing to implement a written contract or other arrangement with three business associates to document that it had obtained satisfactory assurances that the business associates will appropriately safeguard the ePHI; and

  • failing to implement procedures to verify that the person seeking access to ePHI is who they claim to be.

The company agreed to pay $495,000 and implement new data security measures to include:

  • developing and implementing a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;

  • appointing a new HIPAA Privacy and Security Officer with the appropriate background and expertise to implement, maintain, and monitor the information security program;

  • training employees concerning information privacy and security policies, and the proper handling and protection of personal information, PHI, and ePHI;

  • developing and implementing a written incident response and data breach notification plan to prepare for and respond to data security incidents; and

  • implementing personal information safeguards and controls, including encryption, logging and monitoring, access controls, a risk assessment program, and password management.

Last updated: December 10, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.