Are State AGs Picking Up Slack in HIPAA Enforcement?States Apparently More Active in Breach Settlement Activity than HHS This Year
So far this year, federal regulators have issued only three HIPAA enforcement actions, a big drop from the two previous years. So is a recent HIPAA settlement issued by the New York state attorney general's office another sign that states could begin to overshadow the feds when it comes to enforcement actions involving health data security and privacy?
See Also: The Global State of Online Digital Trust
The office of Barbara Underwood, New York state attorney general, recently announced a $200,000 HIPAA settlement and corrective action plan for The Arc of Erie County after a breach impacting more than 3,000 individuals. The incident at the center of the settlement involved protected health information that was accessible on the internet via search engines for nearly three years.
That settlement is the latest of several security-related enforcement actions taken by the New York state attorney general's office - and other state AG offices - so far this year.
Before he resigned earlier this year, New York's previous attorney general, Eric Schneiderman issued a variety of breach-related enforcement actions, including a $1.15 million settlement with health plan Aetna and a $575,000 settlement with Emblem Health for separate data breach cases.
"The New York attorney general office has teams of experienced, seasoned investigators and attorneys empowered to pursue investigations against companies doing business in New York State," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
Meanwhile, New Jersey's AG in April smacked Virtua Medical Group with a $418,000 penalty for a 2016 breach involving a vendor's misconfiguration of a file transfer protocol server that exposed health data of about 1,600 patients on the internet, similar to the type of PHI exposure in the Arc of Erie County case.
In addition, Holtzman notes, "California's attorney general has followed a tradition of vigorous enforcement of state information privacy laws enacted to require organizations that hold personally identifiable information to have appropriate safeguards and notify individuals promptly when there has been an unauthorized disclosure."
New State Laws
California also recently enacted one of the nation's strictest privacy laws, which goes into effect in 2020. Other states, including Colorado, have also been strengthening their privacy and/or breach notification laws.
"There has been a marked uptick in states adopting new standards for data protection and breach reporting."
—David Holtzman, CynergisTek
"There has been a marked uptick in states adopting new standards for data protection and breach reporting," Holtzman says.
"Many of these new laws require organizations to protect health information that would not be protected by HIPAA and enforce these requirements on data about that state's residents when held by any entity, anywhere. A number of state attorneys general are bringing enforcement actions under HIPAA and state law requirements to protect consumer information from unauthorized disclosure."
In some cases that involve breaches that impact the citizens of a number of states, "attorneys general will band together to pursue remedies for the benefit of their state's citizens," Holtzman adds.
OCR Enforcement Slowdown?
While some states are actively pursuing HIPAA-related and other breach-related matters, the Department of Health and Human Services' Office for Civil Rights' HIPAA enforcement activities are slumping so far this year, compared with previous years.
HHS has issued only three HIPAA enforcement actions in so far this year. Those include:
- A $4.3 million civil monetary penalty issued in April by an HHS administrative law judge against the University of Texas MD Anderson Cancer Center in a case involving three breaches that occurred in 2012 and 2013;
- A $100,000 settlement in February with Filefax, a now-defunct Illinois-based medical records storage company at the center of a 2015 "dumpster diver" breach affecting more than 2,000 patients;
- A $3.5 million settlement in February with Massachusetts-based healthcare organization Fresenius Medical Care North America in a case involving five small health data breaches in 2012 involving lost or stolen unencrypted computing devices.
That's far fewer than the 10 OCR enforcement actions in 2017, totaling $19.4 million in settlements and fines, and the 13 actions in 2016, totaling $23.5 million (see Is HIPAA Enforcement Winding Down?).
OCR did not immediately respond to an Information Security Media Group request for comment on its HIPAA enforcement trends.
Under the HITECH Act of 2009, state attorneys general have the authority to bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA privacy and security rules.
Privacy attorney Iliana Peters of the law firm Polsinelli, a former long-time OCR enforcement official, notes: "In my experience, OCR has worked closely with state attorneys general around the country, including by providing training to all of the state AG's offices after passage of the HITECH Act, so I expect that coordination to continue."
The Arc of Erie County Case
The breach involving The Arc of Erie County, a Buffalo-based not-for-profit that provides services to those with developmental disabilities and their families, came to light in early February when the organization received a tip from the public that its clients' personal information was exposed on its website, the New York AG's office's statement notes.
Exposed data included full names, Social Security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth and ages, the statement says.
"In a subsequent report, a forensic investigator found that the information was publicly available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients' sensitive information," the statement says.
The web page was intended only for internal use and was supposed to be protected by a log-in requirement, according to the AG. "Unknown individuals outside the country accessed the links with the sensitive information on many occasions. There was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses."
The incident was reported to OCR on March 9 as an unauthorized access/disclosure breach involving a network server.
"The Arc of Erie County is required to safeguard patients' protected health information, including Social Security numbers, and utilize appropriate administrative, physical, and technical safeguards," the NY state AG's statement notes.
The settlement requires The Arc of Erie County to implement a corrective action plan that includes a thorough analysis of security risks and vulnerabilities of all electronic equipment and data systems. The organization must submit a report of those findings to the AG office within 180 days of the settlement.
The Arc of Erie County did not immediately respond to an ISMG request for comment.
Lessons to Learn
Mishaps similar to the exposure of data online at The Arc of Erie County have been the focus of other enforcement actions.
For instance, back in 2012, OCR slapped a $100,000 penalty on Phoenix Cardiac Surgery as part of a settlement and corrective action plan after the physician practice posted clinical and surgical appointments for their patients on an internet-based calendar that was publicly accessible.
These kinds of incidents involving exposure of PHI on the internet are often the result of organizations skimping on their HIPAA compliance efforts, says Peters, the former OCR official.
"I note that one of most underutilized, in my opinion, requirements of the HIPAA Security Rule is the evaluation standard," she says. "The evaluation standard requires that HIPAA covered entities and business associate perform a technical and nontechnical evaluation that establishes the extent to which the organization's practices meet the requirements of the security rule in response to operational changes affecting the security of information."
In other words, when there is a change in the organization affecting the information it holds, such as an update to a web application, the organization should perform both an administrative review and technical testing to make sure that the information is protected in conjunction with its current practices, or that it modifies such policies and practices if they are not sufficient, as a result of the change, Peters says.
"Testing associated with any change to the organization affecting its data is standard industry practice," the attorney adds.