Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

Industry Insight

New York Nonprofit Hit With Hefty HIPAA Fine

Attorney General Barbara D. Underwood, JD, recently announced a settlement with The Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities and their families, after finding that the company exposed clients’ sensitive personal information on the internet for years. The settlement requires The Arc of Erie County to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems, review its policies and procedures, and pay a $200,000 penalty.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers—and that comes with the responsibility to protect them and their sensitive personal information,” Underwood says. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

The Arc of Erie County, formerly known as Heritage Centers, is a chapter of The Arc New York—a national community-based organization advocating for and serving people with intellectual developmental disabilities. The company maintains a principal business address in Buffalo and serves clients throughout the Western New York area.

In early February 2018, The Arc of Erie County received a tip from the public that its clients’ personal data—including full names, social security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, and dates of birth—were exposed on its website.

In a subsequent report, a forensic investigator found that the information was publically available on the internet from July 2015 to February 2018 and affected 3,751 clients residing in New York. The report confirmed that, upon searching the internet with any search engine, a results page would include links to spreadsheets with clients’ sensitive information. The open webpage was intended only for internal use and was supposed to be protected by a log-in requirement. The report also found that unknown individuals outside the country accessed the links with the sensitive information on many occasions. There was no evidence of malware or other malicious software on the system or any ongoing communications with outside IP addresses.

On or about March 9, 2018, The Arc of Erie County formally notified affected clients in New York that the organization had inadvertently disclosed their sensitive information. It also provided the aggrieved clients with a free one-year subscription to LifeLock to protect themselves from identity theft. The organization also posted a link to information regarding the breach on its website and a notice in The Buffalo News on March 14, 2018.

Pursuant to HIPAA, The Arc of Erie County is required to safeguard patients’ protected health information, including social security numbers, and utilize appropriate administrative, physical, and technical safeguards.

The settlement requires The Arc of Erie County to implement a Corrective Action Plan that includes a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and submit a report of those findings to the Attorney General’s Office within 180 days of the settlement. The organization must also review and revise its policies and procedures based on the results of the assessment and notify the Attorney General’s Office of any action it takes. If no action is taken, the company must provide a written detailed explanation of why no action is necessary. Finally, the organization will pay a $200,000 penalty to the state.

— Source: New York State Attorney General


PatientKeeper and MEDHOST Enter Reseller Agreement

PatientKeeper, Inc and MEDHOST, Inc recently announced that they have entered a reseller agreement under which MEDHOST will be able to offer its hospital customers and prospects PatientKeeper’s physician workflow software tightly integrated with MEDHOST’s inpatient EHR solution.

PatientKeeper complements EHR systems with a range of instinctive applications that automate and streamline physicians’ workflow, delivered with a uniquely physician-friendly user experience across both web and native mobile platforms. By offering an intuitive interface tailored to physician specialties and patient situations, PatientKeeper helps remove the obstacles that have hindered EHR usability and transforms the computer into an indispensable tool for care delivery.

“Our goal at MEDHOST is to always look for ways to allow our customers to focus on what’s most important: their patients and their business,” says Bill Anderson, MEDHOST chairman and CEO. “By adding the PatientKeeper suite as an option to our robust EHR, we continue to demonstrate our commitment to excellence, user satisfaction, and customer ROI. Additionally, this will allow us to serve a broader and more mobile customer base.”

“We are delighted that MEDHOST has recognized the value that PatientKeeper can offer to users of MEDHOST’s inpatient EHR systems,” says Paul Brient, PatientKeeper’s CEO. “As a well-respected and long-standing provider of EHRs, MEDHOST appreciates the importance of giving clinicians the tools they need to enhance their productivity and satisfaction, and advance patient care.”

— Source: PatientKeeper, Inc