An investigation conducted by the New Jersey Division of Consumer Affairs into an unauthorized disclosure of the protected health information (PHI) of almost 56,000 New Jersey residents has been settled by New Jersey Acting Attorney General, Andrew Bruck. The two firms will pay financial penalties totaling $130,000 and have agreed to a consent order that requires them to make changes to their policies and procedures to improve data security.
The investigation stems from a data breach in 2016. Command Marketing Innovations (CMI) and Strategic Content Imaging (SCI) are printing and mailing vendors that worked with a large New Jersey managed healthcare organization and handled the printing and mailing of explanation of benefits statements.
Between October 31, 2016, and November 2, 2016, explanation of benefits statements were mailed; however a printing error occurred that resulted in the last page of an individual’s statement being associated with the front page of the statement of the next person on the list. The investigation confirmed the error occurred as a result of changes made by SCI to its printing processes.
The incorrectly mailed pages contained data classed as PHI under the Health Insurance Portability and Accountability Act (HIPAA) such as claims numbers, dates of service, provider/facility names, and descriptions of the medical services provided. In total, 55,715 individuals had their protected health information impermissibly disclosed.
SCI and CMI provided the printing and mailing services to a HIPAA-covered entity and, since PHI was provided to the two firms in the form of explanation of benefits statements, under HIPAA both companies are classed as business associates. Business associates have a responsibility under HIPAA to implement safeguards to prevent the unauthorized disclosure of PHI. They are also required to implement policies and procedures to identify and mitigate reasonably anticipated vulnerabilities and threats to the confidentiality, integrity, and availability of PHI; however, the error went undetected by both firms.
New Jersey Acting Attorney General Andrew Bruck and the Division of Consumer Affairs determined the firms had violated the HIPAA Rules and also the New Jersey Consumer Fraud Act (CFA). Specifically, the HIPAA violations were the impermissible disclosure of the PHI of 55,715 individuals, the failure to protect against a reasonably anticipated threat of unauthorized disclosure of PHI, and the failure to review and modify security measures to ensure reasonable and appropriate protection of PHI.
SCI and CMI disagreed with the findings of the investigation but agreed to settle the case with saw $65,000 in financial penalties suspended on condition that the companies comply with the consent order. The consent order requires several changes to be made to improve privacy and security protections. Those measures include the implementation and maintenance of a comprehensive security information program, appointing an employee with the necessary skills and experience to serve as its Chief Information Security Officer, appointing an employee with HIPAA compliance experience as Chief Privacy Officer, subscribing to a personalized security awareness and anti-phishing training program, providing anti-phishing and security awareness training to employees, and ensuring approval is obtained from clients before executing any material changes to their printing processes.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Andrew Bruck. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
This is the second financial penalty for HIPAA violations to be announced by Acting Attorney General Bruck in the past two months. In October, AG Bruck agreed a $495,000 settlement with Diamond Institute for Infertility and Menopause to resolve HIPAA violations that led to a breach of the PHI of 14,663 New Jersey residents.