The Colorado Attorney General has reached a settlement with Broomfield Skilled Nursing and Rehabilitation Center, resolving alleged violations of both Colorado’s data protection laws and the Health Insurance Portability and Accountability Act (HIPAA). Colorado Attorney General Phil Weiser investigated Broomfield Skilled Nursing Center after a 2021 data breach exposed patient and employee information. Someone discovered on March 3, 2021, that two employee email accounts were forwarding messages externally.
In April 2021, a forensic investigation confirmed unauthorized access to email accounts through compromised employee credentials and established forwarding rules. An external vendor reviewed the accounts, confirming on June 25, 2021, that sensitive data had been sent to an unauthorized third party.
Moreover, the email accounts held many emails with sensitive data from patients and employees. This included names, financial account details, Social Security numbers, and driver’s license numbers. Some of the emails dated back to 2016. In total, the breached email accounts contained 76,103 emails, exposing the personally identifiable information of 677 individuals, comprising 221 current and former residents and 456 current and former employees.
According to state regulations, companies are mandated to establish a written data disposal policy, a requirement that Broomfield Skilled Nursing and Rehabilitation Center failed to fulfill. Businesses handling state residents’ PII must match security procedures to its nature and operational scale. Experts deemed the security measures at Broomfield Skilled Nursing and Rehabilitation Center insufficient. During the implementation of two-factor authentication (2FA) for Microsoft 365 email accounts. It was discovered that three out of thirty employee email accounts lacked 2FA, resulting in two of them being breached.
Enforcement and Settlement: HIPAA Violations Lead to Colorado Attorney General’s Action
The Colorado Attorney General’s investigation concluded that Broomfield Skilled Nursing and Rehabilitation Center did not meet its obligations under the HIPAA Security Rule regarding encryption. While the center encrypted outgoing emails, it did not encrypt those stored within the accounts. State law mandates sending notification letters within 30 days of confirming a PII security breach when not meeting HIPAA Security Rule requirements.However, Broomfield Skilled Nursing and Rehabilitation Center delayed sending notification letters until November 3, 2021, more than four months after collecting sufficient evidence to confirm the data breach.
The Attorney General acted against Broomfield Skilled Nursing Center for deceptive CCPA violations. The settlement imposes a $60,000 financial penalty, suspending $25,000 pending full compliance with the terms. These terms include the following stipulations:
- Create a written paper and electronic data disposal policy.
- Revise the current information security program to cover exploited vulnerabilities.
- Perform yearly reviews of data security measures.
- Establish an incident response plan.
- Provide regular compliance reports to the Colorado Attorney General and cooperate with any resulting investigations.
Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees, while the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.Weiser said