Years-Long Exposure of Sensitive Client Information Results in $200,000 Settlement with New York Attorney General

Conor Duffy
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In late August, the Attorney General of the State of New York announced a $200,000 settlement with a New York-based non-profit organization that provides services to developmentally disabled individuals and their families after concluding that the organization exposed sensitive personal information of its clients on the Internet for almost three years.

The settlement is the result of an investigation initiated in early 2018 in response to a tip that sensitive information of the organization’s clients was available on its website. An investigator subsequently determined that a spreadsheet containing personal information of 3,751 clients – including without limitation names, social security numbers, diagnosis codes, IQs, and insurance information – had been publicly available online between July 2015 and February 2018. As noted by the Attorney General in its press release announcing the settlement, the organization was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to implement appropriate administrative, technical and physical safeguards to protect that client information.

In addition to the monetary penalty, the organization also agreed to (i) perform an assessment of its security risks and vulnerabilities and submit a report with its findings to the Attorney General’s Office within 180 days of the settlement, (ii) review its data security policies and procedures based on the risk assessment, and (iii) notify the Attorney General of any action taken in response to that assessment (or provide an explanation to the Attorney General of why no action is necessary).

The settlement is an important reminder of the enforcement authority held by state Attorneys General in response to data breaches, which authority can arise under HIPAA or state law. The Office of the New York Attorney General has been among the most active in the country in exercising that authority (see, e.g., here). All organizations that receive and maintain sensitive personal information of clients or patients, and particularly health care organizations, would therefore be well-advised to exercise proactive compliance efforts to assess security vulnerabilities and mitigate potential data security risks, and to bear in mind that data breach enforcement actions are not limited to those taken by the federal Office for Civil Rights under HIPAA.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide