Arc of Erie County Fined $200,000 by NY Attorney General for Security Breach

by | Sep 19, 2018

The New York Attorney General has fined the Arc of Erie County $200,000 by breaching HIPAA Rules when it did not secure the electronic protected health information (ePHI) of its customers.

The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was made aware by a member of the public that some of its clients’ sensitive personal information was accessible through its website during February 2018. The data was also accessible via search engines.

The review into the security breach showed sensitive information had been obtainable online for two and a half years, from July 2015 to February 2018 when the error was remedied. The forensic investigation into the security incident showed multiple individuals from outside the United States had accessed the data on several instances. The website should only have been accessible internally by staff authorized to view ePHI and should have needed a username and password to be stated before access to the data could be given.

Oversll, 3,751 clients in New York had information including their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number accessed. Those people were made aware of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) was informed, and a breach report was sent to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is must safeguard the ePHI of its customers and stop that data from being obtained by unauthorized people. The review into the violation by the New York Attorney General’s office showed that HIPAA Rules had been violated as appropriate physical, technical, and administrative security measures had not been put in place to ensure the confidentiality, integrity, and availability of ePHI. Due to that failure, there had been an impermissible disclosure of clients ePHI.

New York Attorney General Barbara. D. Underwood said: “The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information. This settlement should provide a model to all charities in protecting their communities’ personal information online.”

Along with paying a finey of $200,000, The Arc of Erie County has committed to implementing a Corrective Action Plan (CAP) that includes the requirement to conduct an in depth risk analysis to find all security risks and weaknesses impacting its electronic equipment and data systems. A review of that assessment must be presented to the New York Attorney General’s office within 180 days. Any weaknesses identified must be remedied through a HIPAA-compliance risk management process and policies and procedures must also be reconsidered and revised, based on the results of the risk analysis.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy