DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Broomfield Skilled Nursing and Rehabilitation Center settles breach-related charges with Colorado Attorney General

Posted on September 26, 2023 by Dissent

Colorado Attorney General Phil Weiser recently announced a settlement with Broomfield Skilled Nursing and Rehabilitation Center, LLC stemming from a 2021 data breach. The following is the state’s press release:

Sept. 22, 2023 (DENVER) – Attorney General Phil Weiser announced today a settlement with Broomfield Skilled Nursing and Rehabilitation Center, LLC., for failing to protect the personal data of hundreds of patients and employees before and during a 2021 data breach.

“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” Weiser said. “While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”

In March of 2021, the nursing facility in question discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, the accounts in question were not protected. The breached inboxes contained tens of thousands of emails, some of which contained personal, financial, and medical data for hundreds of current and former patients and employees, including emails containing personal data going back as far as 2016.

Despite being required under state law, the company had no written data disposal policy. The company also waited months, rather than the legally required 30 days, before notifying those affected.

Under the terms of the settlement agreement, the company will pay a fine of anywhere from $35,000-60,000 and agrees to the following:

  • Develop a written paper and electronic data disposal policy as required by state law.
  • Update its existing written information security program and review and update the existing information security program to ensure it is compliant with the law, meets the needs of the size and scope of the company’s operations, and addresses the vulnerabilities that led to the breach in the first place.
  • Review the safeguards it has put in place on at least an annual basis.
  • Develop an incident response plan.
  • Submit regular compliance reports to the attorney general and cooperate with any proceedings or investigations that arise out of the state’s monitoring of the company’s operations under the agreement.

The settlement funds may be used to pay restitution, and for future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes.


The introduction to the Assurance of Discontinuance begins with a statement that would be appropriate for so many data breach settlements or lawsuits:

A cybercriminal cannot steal data that is not there. Threats of cybercrime and identity theft are exacerbated by the overcollection, overuse, and over-retention of unnecessary personal information, which is then accessed by threat actors in the event of a data breach. It is crucial that companies offset those threats by practicing data minimization coupled with effective data disposal, limiting their collection and maintenance of personal information to that which is necessary for a specific data processing purpose.

This enforcement action was filed under Colorado’s state laws, not HIPAA.

 

Category: Commentaries and AnalysesHealth DataOf NotePhishingState/LocalU.S.

Post navigation

← New AtlasCross hackers use American Red Cross as phishing lure
Data breaches put domestic abuse victims’ lives at risk, UK Information Commissioner warns →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.