33 State AGs Settle 3 Health Data Breach CasesBreaches at Vendor, Home Health Firm Affected Nearly 2 Million People
Attorneys general across 33 states have reached settlements for three health data breaches that affected nearly 2 million people, including a $1.4 million settlement for a third-party vendor that left patient data exposed for three years.
In that breach case, a software coding flaw by Puerto Rico-based clearinghouse Inmediata exposed the sensitive protected health information of about 1.5 million individuals.
In a separate case, the New York attorney general approved a $350,000 settlement with Personal Touch Home Care over a 2021 ransomware attack that compromised data of nearly 317,000 patients and employees of the Long Island-based home healthcare firm.
In a separate but related settlement, Falcon Technologies Inc., a software vendor of a Personal Touch insurance broker, also agreed to pay the New York state attorney general $100,000 for failing to secure enrollment data provided by Personal Touch.
Each agreement settles a separate set of allegations that the companies violated state consumer protection laws and HIPAA in their respective handling of sensitive health and personal information.
Inmediata learned of its data exposure only after it was contacted by the U.S. Department of Health and Human Services in January 2019 about electronic PHI maintained by the company that could be accessed online by anyone, settlement documents said.
An investigation found that a coding issue had allowed two webpages to be indexed by Bing Bots from May 16, 2016, through Jan. 15, 2019, according to the settlement documents. Individuals' sensitive information was viewable and downloadable through online search engines.
Under that settlement, which was led by Indiana's attorney general, Inmediata agreed to pay $1.4 million to 31 states, plus Puerto Rico.
The details of the settlement with Inmediata vary slightly for each state depending upon local regulations and state laws, but overall they require the company to overhaul its data security and breach notification practices.
Inmediata must implement a comprehensive information security program with specific requirements for code review and crawling controls, develop an incident response plan including specific policies and procedures on consumer notification letters, and undergo annual third-party security assessments for five years.
In addition to Puerto Rico and Indiana, the other state attorneys general participating in the Inmediata settlement are Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin.
Inmediata's settlement with the states follows a $1.1 million settlement reached last year in a civil class action lawsuit against the company for the same incident (see: CaptureRX, Inmediata Breaches: Proposed Settlements Reached).
Inmediata did not immediately respond to an Information Security Media Group request for comment.
Personal Touch Settlement
Documents in the New York attorney general's settlement announced Wednesday with Personal Touch indicate that in January 2021, a company employee opened a file containing malware that was attached to a phishing email, allowing a hacker to gain access to Personal Touch's network and collect patient and employee records from an unencrypted server.
The compromised records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people, the attorney general said.
The investigation by the attorney general's office determined that Personal Touch had failed to maintain reasonable data security safeguards to protect patient and employee data.
"Personal Touch's information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data," the attorney general's office said in a statement.
During New York state's investigation into the Personal Touch incident, the company was notified of a third-party breach that affected its employees' personal information, including Social Security numbers, the attorney general's office said.
Personal Touch had provided this data to its insurance broker, who in turn provided it to an enrollment software vendor, Falcon, which placed the data on an unsecured site, the attorney general's office said.
"Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA," the attorney general said.
Under Falcon's settlement with the attorney general, the company must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information.
In addition to the financial settlement, Personal Touch is required to improve its data security practices to protect patient and employee information. That includes maintaining a comprehensive information security program including regular risk assessments, regular testing and monitoring of existing safeguards, and regular updates to the information security program.
Personal Touch did not immediately respond to ISMG's request for comment on the settlements.