The state of New York enforces HIPAA with investigations and settlements when healthcare providers fail to protect patient data. The recent investigation against Refuah Health Center resulted in the payment of $450,000 in penalties and a requirement to invest $1.2 million in stronger cybersecurity.
Refuah Health Center, based in Hudson Valley, experienced a ransomware attack in May 2021. The cyber attackers accessed the protected health information (PHI) of 250,000 New Yorkers. The affected files contained names, phone numbers, addresses, Social Security numbers, dates of birth, financial account numbers, driver’s license numbers, medical insurance numbers, and various health information.
During its investigation, the New York Office of the Attorney General (OAG) found that the hackers were successful because Refuah failed to use appropriate security safeguards to protect patient data. Refuah allegedly violated the HIPAA Security Rule, the HIPAA Breach Notification Rule, and New York’s General Business Law requiring data security and consumer protection.
According to the OAG:
“Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.”
This is the only latest example of health privacy enforcement in New York. Two other recent examples include New York Presbyterian Hospital, which was ordered to pay $300,000 due to the unauthorized disclosure of PHI through the use of web trackers, and dental insurance provider Healthplex, which agreed to pay $400,000 to resolve an investigation related to a data breach resulting from a November 2021 phishing attack.
Prepare for HIPAA Enforcement
The HHS Office for Civil Rights (OCR) is only one source of HIPAA enforcement. Individual states and the Federal Trade Commission (FTC) can enforce HIPAA. Class action lawsuits are another way that privacy laws are enforced.