Share this article on:
Visionworks LLC has agreed to settle with the Maryland Associate General for exposing the Protected Health Information (PHI) of approximately 72,000 Marylanders. The company will pay a fine of $100,000 to the state for data security failures that lead to the breach.
Two Data Breaches Reported in Quick Succession
The company discovered two separate data breaches – reported in November and December of last year – that exposed the PHI of 122,627 individuals. The first incident was classified as a lost server, which contained 74,944 records, with the second reported as a network server theft, exposing 47,683 records. The servers are most likely now in landfill; however the incident did potentially expose names, addresses, dates of birth and purchasing histories.
The company was reportedly in the process of upgrading to encrypted servers; however old servers were unsecured in the company’s stores; a breach of the HIPAA Security Rule, which requires physical safeguards to be put in place to keep PHI secured.
It is believed that the servers were mistakenly disposed of, and that there was little risk of breach victims being affected by fraud or suffering identity theft. Even so, out of an abundance of caution, a year of credit monitoring services was offered.
Settlement Reached with Maryland AG
This week, the Office of the Attorney General Consumer Protection Division entered into a settlement agreement with Visionworks for its failure to safeguard consumer information; and ensure its secure disposal. According to a statement issued by Attorney General Brian E. Frosh, “Devices that contain personal information must be properly secured and discarded. Otherwise, the door is open for data to fall into the wrong hands,” he went on to issue a warning to other companies doing business in the state of Maryland, “This case should put businesses on notice that they need to be vigilant on behalf of their customers.”
In addition to paying the state $100,000, the company must implement a number of new security measure to ensure future data breaches are prevented. The company also agreed to extend the period over which credit monitoring and identity theft protection services will be offered. Two years will now be offered without charge to individuals affected by the breach. However, this settlement only applies to the exposure of Maryland residents’ PHI. Another 50,000 individuals were affected, many of whom live in Pennsylvania. This may not be the only financial penalty Visionworks will have to pay.