The New York Attorney General fined the Arc of Erie County with $200,000 for Violating HIPAA Rules as a result of failing to safeguard its customers’ electronic protected health information (ePHI).
The Arc of Erie County is a not-for-profit social services company and a chapter of the The Arc Of New York. In February 2018, somebody informed the Arc of Erie County that some sensitive personal information can be viewed on its webpage. The data was also accessible by way of the search engines.
Based on the investigation of the data breach, for two and a half years, the sensitive data was viewable on the web from July 2015 until February 2018 when the breach was fixed. Forensic professionals looked into the breach and confirmed that several people living outside the U.S. accessed the data on a number of instances. Purportedly, only personnel with usernames and security passwords can access the website and see the ePHI.
A total of 3,751 residents in NYC had their personal data compromised. The information included clients’ full names, addresses, ages, telephone number, birth dates, race, sex, principal diagnosis code, medical insurance details, IQ and Social Security numbers. The Arc of Erie County dispatched breach notices to their clients on March 9, 2018. A breach notification was likewise provided to the Department of Health and Human Services’ Office for Civil Rights and the New York Attorney General’s office.
The HIPAA Rules mandate the Arc of Erie County to protect its clients’ ePHI and keep unauthorized persons from viewing their data. After investigation, the New York Attorney General’s office proved that the company broke HIPAA Rules when it did not comply to employ proper technical, physical and administrative safety measures to make certain the integrity, confidentiality, and availability of ePHI. As a result of the violation, an impermissible exposure of clients’ PHI happened.
Aside from being fined $200,000, The Arc of Erie County agreed to take on a Corrective Action Plan (CAP) which calls for the conduct of an extensive risk evaluation to track down all security threats and weaknesses that impact its electronic machines and information systems. The firm should additionally submit a report of the analysis to the New York Attorney General’s office in 180 days. Identified flaws should be fixed by using a HIPAA-compliance risk management process. According to the results of the risk analysis, policies and procedures should likewise be evaluated and modified.