Breach Notification , Endpoint Security , HIPAA/HITECH
NJ AG Smacks 2 Printing Firms with Hefty Fine in PHI BreachSettlement Centers on Mishap Affecting Nearly 56,000 Health Plan Members
New Jersey state regulators have smacked two printing vendors with a $130,000 financial settlement and corrective action plan for their involvement in a 2016 mishap that compromised the protected health information of nearly 56,000 residents.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In a joint statement Wednesday, New Jersey acting Attorney General Andrew Bruck and the state's Division of Consumer Affairs said a printing error involving two New Jersey-based companies - Command Marketing Innovations and Strategic Content Imaging - exposed thousands of individuals' PHI in explanation of benefits statements mailed in 2016 on behalf of one of CMI's covered entities clients, a large managed healthcare organization.
The state's investigation found the companies actions involving the incident potentially violated both the federal HIPAA regulations and New Jersey's Consumer Fraud Act.
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” Bruck said in the statement. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
Some experts note that the case also highlights the importance of organizations properly safeguarding sensitive health information regardless of the medium.
"Paper is still an incredibly important part of the healthcare system, and security should be considered carefully," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"The HIPAA Security Rule doesn’t apply directly to paper records, but this case shows the risks if there isn’t an appropriate security plan for paper."
The state's consent order against the two companies notes that in September 2016, CMI executed a HIPAA business associate agreement with SCI, for SCI to assist CMI in providing fulfillment and printing services to a CMI customer - a managed health plan company - involving the printing of EOBs.
"In late October and early November 2016, without notifying the customer or CMI, SCI changed its printing process by increasing the size of the paper it used to print. SCI did not conduct sufficient quality control checks before SCI amended its printing process," the consent order notes.
"The change caused the front page of one member’s EOB to become associated with the back page of another member’s EOB. SCI’s quality assurance system failed to identify this mistake because the system only checked front pages, not back pages, for errors," the consent order says.
The statement from the attorney general's office about the settlement does not identify CMI's managed care customer at the center of the breach, and the office declined Information Security Media Group's request for additional details about the case.
But the consent order makes one reference to "Horizon" - noting that on or about Nov. 2, 2016, CMI's managed care customer "notified SCI of a potential printing error that disclosed the PHI of Horizon’s members. Specifically, the customer’s members received EOBs that contained the PHI of other members."
The U.S. Department of Health and Human Services Office for Civil Rights' HIPAA Breach Reporting Tool website listing major health data breaches shows that Horizon Blue Cross and Blue Shield of New Jersey on Dec. 30, 2016, reported to HHS a breach affecting 55,700 individuals, involving a business associate and the unauthorized access/disclosure of PHI involving paper/films.
Around that same time in 2016, Horizon also reportedly issued a public statement - which is no longer available on the company's website - about its print vendor Command Marketing Innovations discovering an error in which some members and providers received statements that included information intended for a different customer, according to a Nov. 23, 2016, article by media site Printing Impressions.
Horizon BCBS did not immediately respond to ISMG's request for comment on the case.
Corrective Action Plans
The settlement requires both printing vendors to implement a number of measures to better safeguard sensitive information and identify security vulnerabilities and threats, the state says.
For each company, those steps include:
- Implementing and maintaining a comprehensive security information program and event management tool to identify and track potential vulnerabilities and threats;
- Appointing a CISO and chief privacy officer;
- Providing security awareness and anti-phishing training program to employees;
- Obtaining approval from clients that keep or transmit health information before executing any material changes to their printing process.
Under the terms of the settlement, $65,000 will be suspended from the financial payment amount provided the companies comply with the terms of the consent order, the state notes.
Neither CMI nor SCI immediately responded to ISMG's request for comment on the settlement.
This incident is not the first PHI breach to involve a printing/mailing mishap that triggered various states' regulators to take HIPAA and state privacy law enforcement actions.
For instance, in a July 2017 mailing mishap, a vendor for health insurer Aetna sent letters to about 12,000 health plan members that revealed through the envelopes' oversized, clear window that the recipient was taking HIV-related medication.
"While hacking and stolen laptops often draw more attention, large impermissible disclosures due to printing errors pop up pretty regularly and highlight the need for covered entities and business associates to implement good quality control mechanisms."
— Adam Greene, Davis Wright Tremaine
That incident resulted in a total of about $3 million in settlements between Aetna and the attorney generals of several states, including New Jersey, New York, Connecticut, California and Washington, D.C. - as well as a $17.2 million settlement of a civil class action lawsuit filed against the company.
"While hacking and stolen laptops often draw more attention, large impermissible disclosures due to printing errors pop up pretty regularly and highlight the need for covered entities and business associates to implement good quality control mechanisms with respect to their printing operations," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Managing Vendor Risk
Privacy attorney David Holtzman of consultancy HITPrivacy LLC says New Jersey's settlement with CMI and SCI should serve as a reminder that despite the healthcare industry's overall move to digitize patient records, many organizations continue to produce and send by mail paper documents that contain PHI.
"The same vendor management practices that apply to managing how a vendor protects your data from a ransomware attack or other cybersecurity incident apply to contractors handling sensitive hard copy data," he says.
"Good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy to assess the potential for compromise of data."
Other State Actions
The case against CMI and SCI is the second HIPAA-related settlement involving New Jersey's attorney general’s office so far this year.
Last month, Bruck and the state's Division of Consumer Affairs announced a $495,000 financial settlement and corrective action plan with Diamond Institute for Infertility and Menopause LLC related to a hacking incident reported in April 2017 that affected nearly 15,000 individuals.
Also, in November 2020, former New Jersey Attorney General Gurbir Grewal and the state’s Division of Consumer Affairs slapped New Jersey-based Wakefern Food Corp. -the largest retailer-owned cooperative in the U.S. - and two of its associated ShopRite supermarket entities with a $235,000 financial settlement and corrective action plan in the aftermath of an incident that involving improperly discarded devices containing personal information of more than 9,700 state residents.
And in 2018, the attorneys general of New Jersey and New York each slapped health insurer EmblemHealth with state financial penalties in connection with a 2016 breach that exposed Social Security numbers on mailings to tens of thousands of plan members in both states.
"We are seeing some efforts by state AGs under HIPAA, but it has been pretty limited," Nahra notes. "I hope the states continue to have the level of sophistication that HHS OCR generally has in reviewing security incidents."