The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.

The NYAG announced a similar enforcement recently following a phishing attack of an employee email account that compromised the PHI of approximately 2.1 million individuals. That action resulted in a $600,000 settlement with a provider of vision benefits that the NYAG determined had failed to implement sufficient security measures. In particular, the NYAG was concerned that the provider did not have multifactor authentication for the affected e-mail account or sufficient password management protocols. Also of concern was the lack of email account logging, which made investigations difficult.

Putting it into Practice: These cases illustrate that state attorneys general are using HIPAA, along with other state laws, as tools in their data breach investigation arsenal. Companies will want to take heed of these cases, as well as advice coming directly from state AGs (such as the NY recommendations we described recently). Measures to keep in mind include MFA, logging, HIPAA risk analyses, and appropriate workforce training.