June 27, 2022

Volume XII, Number 178

Advertisement
Advertisement

June 27, 2022

Subscribe to Latest Legal News and Analysis

June 24, 2022

Subscribe to Latest Legal News and Analysis

States Catch Health Care Entities Taking the Bait in Phishing Attacks

The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.

The NYAG announced a similar enforcement recently following a phishing attack of an employee email account that compromised the PHI of approximately 2.1 million individuals. That action resulted in a $600,000 settlement with a provider of vision benefits that the NYAG determined had failed to implement sufficient security measures. In particular, the NYAG was concerned that the provider did not have multifactor authentication for the affected e-mail account or sufficient password management protocols. Also of concern was the lack of email account logging, which made investigations difficult.

Putting it into Practice: These cases illustrate that state attorneys general are using HIPAA, along with other state laws, as tools in their data breach investigation arsenal. Companies will want to take heed of these cases, as well as advice coming directly from state AGs (such as the NY recommendations we described recently). Measures to keep in mind include MFA, logging, HIPAA risk analyses, and appropriate workforce training.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 56
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jarrod Brodsky Corporate Lawyer Sheppard Mullin Law Firm
Associate

Jarrod Brodsky is an associate in the Corporate Practice Group in Sheppard Mullin's Washington, D.C. office.

EDUCATION

J.D., Georgetown University Law Center, 2020

B.A., New York University, 2014, magna cum laude

ADMISSIONS

  • District of Columbia

LANGUAGES

  • Spanish
202.747.2180
Sara Helene Shanti Corporate Lawyer Sheppard Mullin Law Firm
Partner

Sara Helene Shanti is a partner in the Corporate Practice Group in the firm's Chicago office.

Areas of Practice

Shanti represents healthcare providers and technology companies in matters related to data privacy, healthcare regulatory compliance and mergers and acquisitions. She counsels clients on various data privacy and healthcare technology matters, including artificial intelligence, data security incidents, mobile applications, and telemedicine. Shanti’s experience includes advising clients on transferring data across multinational borders, implementing...

312.499.6358
Advertisement
Advertisement
Advertisement