Colorado Attorney General Phil Weiser recently announced a settlement with Broomfield Skilled Nursing and Rehabilitation Center, LLC stemming from a 2021 data breach. The following is the state’s press release:
Sept. 22, 2023 (DENVER) – Attorney General Phil Weiser announced today a settlement with Broomfield Skilled Nursing and Rehabilitation Center, LLC., for failing to protect the personal data of hundreds of patients and employees before and during a 2021 data breach.
“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” Weiser said. “While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”
In March of 2021, the nursing facility in question discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, the accounts in question were not protected. The breached inboxes contained tens of thousands of emails, some of which contained personal, financial, and medical data for hundreds of current and former patients and employees, including emails containing personal data going back as far as 2016.
Despite being required under state law, the company had no written data disposal policy. The company also waited months, rather than the legally required 30 days, before notifying those affected.
Under the terms of the settlement agreement, the company will pay a fine of anywhere from $35,000-60,000 and agrees to the following:
- Develop a written paper and electronic data disposal policy as required by state law.
- Update its existing written information security program and review and update the existing information security program to ensure it is compliant with the law, meets the needs of the size and scope of the company’s operations, and addresses the vulnerabilities that led to the breach in the first place.
- Review the safeguards it has put in place on at least an annual basis.
- Develop an incident response plan.
- Submit regular compliance reports to the attorney general and cooperate with any proceedings or investigations that arise out of the state’s monitoring of the company’s operations under the agreement.
The settlement funds may be used to pay restitution, and for future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes.
The introduction to the Assurance of Discontinuance begins with a statement that would be appropriate for so many data breach settlements or lawsuits:
A cybercriminal cannot steal data that is not there. Threats of cybercrime and identity theft are exacerbated by the overcollection, overuse, and over-retention of unnecessary personal information, which is then accessed by threat actors in the event of a data breach. It is crucial that companies offset those threats by practicing data minimization coupled with effective data disposal, limiting their collection and maintenance of personal information to that which is necessary for a specific data processing purpose.
This enforcement action was filed under Colorado’s state laws, not HIPAA.