Arc of Erie County Fined $200,000 by NY Attorney General for Security Breach

The New York Attorney General has fined the Arc of Erie County $200,000 by breaching HIPAA Rules when it did not secure the electronic protected health information (ePHI) of its customers.

The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was made aware by a member of the public that some of its clients’ sensitive personal information was accessible through its website during February 2018. The data was also accessible via search engines.

The review into the security breach showed sensitive information had been obtainable online for two and a half years, from July 2015 to February 2018 when the error was remedied. The forensic investigation into the security incident showed multiple individuals from outside the United States had accessed the data on several instances. The website should only have been accessible internally by staff authorized to view ePHI and should have needed a username and password to be stated before access to the data could be given.

Oversll, 3,751 clients in New York had information including their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number accessed. Those people were made aware of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) was informed, and a breach report was sent to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is must safeguard the ePHI of its customers and stop that data from being obtained by unauthorized people. The review into the violation by the New York Attorney General’s office showed that HIPAA Rules had been violated as appropriate physical, technical, and administrative security measures had not been put in place to ensure the confidentiality, integrity, and availability of ePHI. Due to that failure, there had been an impermissible disclosure of clients ePHI.

New York Attorney General Barbara. D. Underwood said: “The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information. This settlement should provide a model to all charities in protecting their communities’ personal information online.”

Along with paying a finey of $200,000, The Arc of Erie County has committed to implementing a Corrective Action Plan (CAP) that includes the requirement to conduct an in depth risk analysis to find all security risks and weaknesses impacting its electronic equipment and data systems. A review of that assessment must be presented to the New York Attorney General’s office within 180 days. Any weaknesses identified must be remedied through a HIPAA-compliance risk management process and policies and procedures must also be reconsidered and revised, based on the results of the risk analysis.