New York Attorney General Settlements Garners $400,000

The Incident and Settlement

In November 2021, an unknown attacker sent a phishing email to an employee of Healthplex. As a result, the hacker gained access to 130,000 emails dating back 12 years. While the phishing incident affected 90,000 patients in various states, a case was brought to New York State regulators, as 64,000 are New York state residents.

Protected health Information that may have been compromised due to the incident potentially included:

• Patients’ first and last names
• Credit card numbers and banking information 
• Social Security and driver’s license numbers

Following an investigation into the incident, Healthplex signed a settlement with New York state, agreeing to pay $400,000 and submit to a corrective action plan. 

As part of the corrective action plan, Healthplex must: 

• Implement a data retention policy to dispose of information no longer needed for business purposes 
• Use multifactor authentication
• Have a CISO that reports to the company’s CEO and its board of directors

“Federal and state enforcement of health information privacy laws is increasing exponentially due to the increased number of breaches and persons affected,” said regulatory attorney Paul Hales of the Hales Law Group.

“All organizations should have a firm email destruction policy established with advice of legal counsel to avoid the time and expense of producing or searching through emails in response to a discovery request,” Hales said.

Preventing HIPAA Breaches and Fines

As breaches targeting healthcare organizations skyrocket, it is essential to implement measures to prevent unauthorized access to sensitive data. Implementing an effective HIPAA compliance program is the best way to do so. HIPAA compliance includes risk analysis, policies and procedures, employee training, and incident management. Had Healthplex implemented an effective compliance program, the incident and subsequent fine could have been prevented.