February 6, 2023

Volume XIII, Number 37


February 06, 2023

Subscribe to Latest Legal News and Analysis

February 03, 2023

Subscribe to Latest Legal News and Analysis

States Catch Health Care Entities Taking the Bait in Phishing Attacks

The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.

The NYAG announced a similar enforcement recently following a phishing attack of an employee email account that compromised the PHI of approximately 2.1 million individuals. That action resulted in a $600,000 settlement with a provider of vision benefits that the NYAG determined had failed to implement sufficient security measures. In particular, the NYAG was concerned that the provider did not have multifactor authentication for the affected e-mail account or sufficient password management protocols. Also of concern was the lack of email account logging, which made investigations difficult.

Putting it into Practice: These cases illustrate that state attorneys general are using HIPAA, along with other state laws, as tools in their data breach investigation arsenal. Companies will want to take heed of these cases, as well as advice coming directly from state AGs (such as the NY recommendations we described recently). Measures to keep in mind include MFA, logging, HIPAA risk analyses, and appropriate workforce training.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 56

About this Author

Jarrod Brodsky Corporate Lawyer Sheppard Mullin Law Firm

Jarrod Brodsky is an associate in the Corporate Practice Group in Sheppard Mullin's Washington, D.C. office.


J.D., Georgetown University Law Center, 2020

B.A., New York University, 2014, magna cum laude


  • District of Columbia


  • Spanish
Sara Helene Shanti Corporate Lawyer Sheppard Mullin Law Firm

Sara Helene Shanti is a partner in the Corporate Practice Group in the firm's Chicago office.

Areas of Practice

Shanti represents healthcare providers and technology companies in matters related to data privacy, healthcare regulatory compliance and mergers and acquisitions. She counsels clients on various data privacy and healthcare technology matters, including artificial intelligence, data security incidents, mobile applications, and telemedicine. Shanti’s experience includes advising clients on transferring data across multinational borders, implementing...