Colorado Attorney General Settles Data Breach Investigation with Broomfield Skilled Nursing and Rehabilitation Center
A settlement has been reached between the Colorado Attorney General and Broomfield Skilled Nursing and Rehabilitation Center that resolves alleged violations of Colorado’s data protection laws and the Health Insurance Portability and Accountability Act (HIPAA).
Colorado Attorney General, Phil Weiser, launched an investigation of Broomfield Skilled Nursing and Rehabilitation Center in response to a 2021 data breach that exposed the personally identifiable information of hundreds of its patients and employees. Broomfield Skilled Nursing and Rehabilitation Center discovered there had been a security breach on March 3, 2021, when two employee email accounts were found to have email forwarding rules configured that sent emails to an external email address.
Broomfield Skilled Nursing and Rehabilitation Center’s forensic investigation determined in April 2021 that an unknown third party had gained access to the email accounts after compromising the employees’ credentials and had set up forwarding rules on both accounts. A vendor was engaged to conduct a review of the accounts, and on June 25, 2021, it was determined that sensitive data had been sent to an unauthorized third party.
The email accounts contained tens of thousands of emails, some of which included the personal, financial, and medical data of hundreds of current and former patients and employees, including, names, financial account information, Social Security numbers, and driver’s license numbers. Some of the emails included data from as early as 2016. In total, the compromised email accounts contained 76,103 emails, which included the PII of 677 individuals – 221 current and former residents and 456 current and former employees.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
State law requires companies to have a written data disposal policy; however, no such policy existed at Broomfield Skilled Nursing and Rehabilitation Center. Companies that maintain, own, or license the PII of state residents are required to implement and maintain reasonable security procedures that are appropriate to the nature of PII and the nature and size of the business. Broomfield Skilled Nursing and Rehabilitation Center’s security procedures were found to be insufficient. While the Nursing and Rehabilitation Center was in the process of implementing two-factor authentication (2FA) on its Microsoft 365 email accounts, 3 of its 30 employee email accounts did not have 2FA implemented, and two of those accounts were breached.
The state attorney general determined that Broomfield Skilled Nursing and Rehabilitation Center did not meet its obligations under the HIPAA Security Rule with respect to encryption. While emails were encrypted when they were sent externally, emails in accounts were not encrypted. While HIPAA does not demand the encryption of stored emails, if encryption is not implemented, other equivalent safeguards must be implemented in place of encryption. Since the compromised accounts were not encrypted, 2FA was not enabled, and emails in the account dated back to 2016, the requirements of the HIPAA Security Rule had not been met.
State law requires notification letters to be sent to individuals whose PII has been exposed in a cyberattack and those notification letters must be issued within 30 days of the point in time when there is sufficient evidence to conclude that a security breach has taken place. Broomfield Skilled Nursing and Rehabilitation Center did not send notification letters until November 3, 2021, more than four months after sufficient evidence had been collected to determine that a data breach had occurred.
The attorney general took action against Broomfield Skilled Nursing and Rehabilitation Center for violations of state data protection laws and determined that the violations constituted a deceptive trading practice under the Colorado Consumer Protection Act (CCPA). Under the terms of the settlement, a financial penalty of $60,000 has been imposed, with $25,000 of that amount suspended provided Broomfield Skilled Nursing and Rehabilitation Center complies in full with the settlement agreement. The agreement includes the following requirements:
- Develop a written paper and electronic data disposal policy.
- Review and update its existing information security program to ensure it addresses the vulnerabilities that were exploited in the attack.
- Conduct annual reviews of its data security safeguards.
- Develop an incident response plan.
- Submit regular compliance reports to the Colorado Attorney General and comply with any investigations arising out of the state’s monitoring of compliance with the company’s operations under the agreement.
“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” Weiser said. “While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”