Arc of Erie County Pays $200,000 for Security Breach


Arc of Erie County Pays $200,000 for Security BreachThe New York Attorney General penalized the Arc of Erie County with $200,000 for HIPAA Rules violation because of failing to protect its clients’ electronic protected health information (ePHI).

The Arc of Erie County is a non-profit social services firm and one chapter of the Arc Of New York. In February 2018, someone notified the Arc of Erie County that a number of sensitive personal information could be accessed through its website. The information was also visible via the search engines.

According to the investigation of the security breach, for two and a half years, the sensitive information was available on the internet starting from July 2015 up to February 2018 when the error was remedied. Forensic experts investigated the incident and determined that multiple individuals located outside the United States accessed the information on several occasions. Supposedly, only employees with usernames and passwords are authorized to access the webpage and view the ePHI.

A total of 3,751 clients in New York had their personal information exposed. The data included their full names, ages, addresses, phone number, dates of birth, race, gender, primary diagnosis code, health insurance information, IQ and Social Security numbers. The Arc of Erie County sent breach notifications to their clients on March 9, 2018. A breach report was also submitted to the Department of Health and Human Services’ Office for Civil Rights and the New York Attorney General’s office.

The HIPAA Rules require the Arc of Erie County to safeguard the ePHI of its clients and keep unauthorized individuals from accessing their information. Upon investigation, the New York Attorney General’s office confirmed that the firm violated HIPAA Rules when it failed to implement appropriate physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of ePHI. Because of the violation, an impermissible disclosure of clients’ ePHI occurred.

Besides being penalized $200,000, The Arc of Erie County agreed to follow a Corrective Action Plan (CAP) that requires the implementation of a comprehensive risk analysis to determine all security threats and vulnerabilities that affect its electronic equipment and data systems. The company must also submit a report of the evaluation to the New York Attorney General’s office within 180 days. Identified vulnerabilities must be remedied by following a HIPAA-compliance risk management process. Based on the findings of the risk analysis, policies and procedures must also be reviewed and revised.