Broomfield Skilled Nursing and Rehabilitation Center has reached a settlement with the Colorado Attorney General over the supposed HIPAA violation and Colorado’s data protection rules violation.
Colorado Attorney General, Phil Weiser, began investigating Broomfield Skilled Nursing and Rehabilitation Center because of a 2021 data breach that compromised the personally identifiable information (PII) of numerous patients and workers. Broomfield Skilled Nursing and Rehabilitation Center identified a security breach on March 3, 2021, after finding out that two employee email accounts were configured to forward emails to an outside email address.
According to the forensic investigation of Broomfield Skilled Nursing and Rehabilitation Center performed in April 2021, an unauthorized third party acquired access to the email accounts after compromising the employees’ credentials and had set up forwarding rules on both accounts. A supplier conducted an analysis of the email accounts and confirmed on June 25, 2021, that sensitive records were transmitted to an unauthorized third party.
There were thousands of emails in the email accounts, a number of which contained the personal, medical, and financial information of many present and past patients and workers, which include, names, financial account data, driver’s license numbers, and Social Security numbers. A number of emails contained information since 2016. Altogether, the breached email accounts included 76,103 email messages, having the PII of 677 persons – 221 present and past residents and 456 present and past workers.
State legislation calls for organizations to have a policy for written data disposal; nevertheless, Broomfield Skilled Nursing and Rehabilitation Center did not have such a policy. Organizations that retain, own, or license the PII of state locals have to employ and keep good security processes that are proper to the type of PII and the business type and size. Broomfield Skilled Nursing and Rehabilitation Center’s security processes were determined to be inadequate. Although the Nursing and Rehabilitation Center was using two-factor authentication (2FA) for its Microsoft 365 email accounts, 3 employee email accounts were not implementing 2FA, and because of this two of the accounts had been compromised.
The state attorney general confirmed that Broomfield Skilled Nursing and Rehabilitation Center failed to fulfill its requirements under the HIPAA Security Rule regarding encryption. Although emails had encryption whenever they were transmitted externally, emails inside the accounts weren’t encrypted. Although HIPAA doesn’t require stored emails to be encrypted, other comparable safety measures should be used instead of encryption when encryption is not enforced. Given that the breached accounts weren’t encrypted, 2FA wasn’t activated, and emails in the account since 2016, the HIPAA Security Rule requirements were not satisfied.
State legislation demands sending notification letters to persons who had their PII exposed during a cyberattack. Those notification letters need to be given within 30 days from when there’s enough proof to state there was a security breach. Broomfield Skilled Nursing and Rehabilitation Center only sent notification letters on November 3, 2021, over 4 months after adequate proof was obtained to confirm the occurrence of a data breach.
The attorney general filed a lawsuit against Broomfield Skilled Nursing and Rehabilitation Center with regard to a state data protection legislation violation and confirmed that the violations involved a deceitful trading practice as per the Colorado Consumer Protection Act (CCPA). With the conditions of the settlement, there was a $60,000 financial penalty imposed, $25,000 of which was suspended unless Broomfield Skilled Nursing and Rehabilitation Center agreed completely with the settlement terms. The agreement consists of these requirements:
- Create a written paper and electronic data disposal policy.
- Evaluate and update its current data security program to make sure it looks into the vulnerabilities that were taken advantage of in the cyberattack.
- Perform yearly evaluations of its data security measures.
- Create an incident response plan.
- Send routine compliance reports to the Colorado Attorney General and adhere to any investigations that come from the state’s supervision of compliance having the company’s procedures under the agreement.
All cybersecurity threats are likely disastrous, however, it’s specifically bothersome when elderly Coloradans and those people who take care of them suffer from cybercrime because of a failure by a nursing facility to correctly manage the personal information of patients and workers. Although the harm already happened in this instance, this settlement serves as a warning that the State Attorney General will not think twice about acting against any organization that does not conform to Colorado data protection legislation.