In late August, the Attorney General of the State of New York announced a $200,000 settlement with a New York-based non-profit organization that provides services to developmentally disabled individuals and their families after concluding that the organization exposed sensitive personal information of its clients on the Internet for almost three years.
The settlement is the result of an investigation initiated in early 2018 in response to a tip that sensitive information of the organization’s clients was available on its website. An investigator subsequently determined that a spreadsheet containing personal information of 3,751 clients – including without limitation names, social security numbers, diagnosis codes, IQs, and insurance information – had been publicly available online between July 2015 and February 2018. As noted by the Attorney General in its press release announcing the settlement, the organization was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to implement appropriate administrative, technical and physical safeguards to protect that client information.
In addition to the monetary penalty, the organization also agreed to (i) perform an assessment of its security risks and vulnerabilities and submit a report with its findings to the Attorney General’s Office within 180 days of the settlement, (ii) review its data security policies and procedures based on the risk assessment, and (iii) notify the Attorney General of any action taken in response to that assessment (or provide an explanation to the Attorney General of why no action is necessary).
The settlement is an important reminder of the enforcement authority held by state Attorneys General in response to data breaches, which authority can arise under HIPAA or state law. The Office of the New York Attorney General has been among the most active in the country in exercising that authority (see, e.g., here). All organizations that receive and maintain sensitive personal information of clients or patients, and particularly health care organizations, would therefore be well-advised to exercise proactive compliance efforts to assess security vulnerabilities and mitigate potential data security risks, and to bear in mind that data breach enforcement actions are not limited to those taken by the federal Office for Civil Rights under HIPAA.