For the second time in a month, the New Jersey attorney general announced a settlement over the compromise of protected health information and potential violations of the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act. The attorney general suspended $65,000 from the settlement “provided the companies comply with the terms of the consent order.”
On Oct. 12, the state’s attorney general reached a $495,000 settlement with Diamond Institute for Infertility and Menopause to resolve allegations of lax cybersecurity practices after a healthcare data breach impacting 14,633 patients in 2017.
The newest settlement was brought against two mailing and printing vendors, Command Marketing Innovations and Strategic Content Imaging. The healthcare business associates agreed to pay $130,000 in penalties and implement new security policies to resolve the allegations that stemmed from a 2016 patient data breach that affected 55,715 state residents.
In 2016, the vendors executed a business associate agreement with an unnamed insurer to provide mailing, fulfillment, and printing services, including explanation of benefits statements for its members. The agreement included obligations to comply with the HIPAA Security Rule and to implement PHI safeguards.
The BAA also included requirements for all contracted vendors interacting with PHI, including to “carry out adequate due diligence on each agent or subcontractor to ensure that it is capable of providing the level of protection required for the PHI and provide evidence of such due diligence to the customer upon request.”
As part of its contract, CMI contracted with SCI to assist with fulfilling and printing the EOBs for the healthcare organization. The contract included an agreement to comply with HIPAA requirements.
However, SCI changed its printing process to increase the size of paper used for the project without notifying the healthcare organization or CMI and without conducting “sufficient quality control checks before SCI amended its printing process.”
In doing so, “the change caused the front page of one member’s EOB to become associated with the back page of another member’s EOB.” The quality assurance system used by SCI failed to identify the mistake, as it only checked the front pages of the EOB for errors and not the back. CMI also failed to detect the printing error.
On Nov. 2, the healthcare client notified SCI of the potential error that inadvertently disclosed the PHI of their members. Patients received EOBs that included the PHI of other plan members, including member identification numbers, claims numbers, dates of services provided, and services codes and or provider names.
The New Jersey investigation into the vendors found that both violated the state’s privacy regulation and HIPAA, by failing to ensure the confidentiality of ePHI and protect against reasonably anticipated unauthorized PHI disclosure, along with failing to review and modify security measures as needed in accordance with those regulations.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting New Jersey Attorney General Andrew Bruck, in the announcement. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
“Our commitment is to ensure that anyone who handles protected information properly safeguards that information,” Division of Consumer Affairs Acting Director Sean P. Neafsey said in a statement. “We are pleased that CMI and SCI have agreed to implement new practices to protect consumers’ information.”
Both CMI and SCI dispute the allegations but agreed to the monetary penalty and consent order, which requires the companies to change their business practices and improve their security measures to protect sensitive information.
Notably, the order requires the companies to obtain “approval from clients that keep or transmit health information before executing any material changes to their printing processes."
Under the order, the vendors must implement and maintain a comprehensive security program and event management tool able to identify and track potential vulnerabilities and threats, as well as appoint an employee from each company as a Chief Information Security Officer with the appropriate background to effectively manage the program.
The companies are also required to appoint an employee from each company as the Chief Privacy Officer with expertise in HIPAA compliance. The order also requires the vendors to subscribe to a personalized security awareness and anti-phishing training program for use with their workforce.
While far less common, the vendors’ printing gaffe was one of several paper-related PHI breaches that occurred between 2013 and 2017. One of the most notable incidents was reported by Aetna in 2017, where the use of a clear envelope for mailing member information exposed sensitive HIV-related information from the front of the envelope.
Just 647 New Jersey residents were impacted at the time, but it led to a $365,212 civil penalty handed down by the state attorney general. The incident also led to additional settlements with other states, as well as a $17 million dollar civil monetary penalty from the Department of Health and Human Services.
