Health Care Entities Taking the Bait in Phishing Attacks – The National Law Review

The State Attorneys General in New York and New Jersey recently settled with four companies over alleged HIPAA noncompliance following phishing attacks. The New Jersey settlements were brought against three NJ-based cancer care providers after a phishing attack on several employees’ email accounts. That attack resulted in the unauthorized access of the PHI of 105,200 patients. Although the providers had implemented safeguards, the NJAG concluded that those measures were insufficient to protect against reasonably anticipated threats. In particular, the NJAG was concerned that an accurate and thorough risk assessment had not been conducted, nor was there sufficient employee training. As part of the settlement, the providers agreed to pay $425,000.
The NYAG announced a similar enforcement recently following a phishing attack of an employee email account that compromised the PHI of approximately 2.1 million individuals. That action resulted in a $600,000 settlement with a provider of vision benefits that the NYAG determined had failed to implement sufficient security measures. In particular, the NYAG was concerned that the provider did not have multifactor authentication for the affected e-mail account or sufficient password management protocols. Also of concern was the lack of email account logging, which made investigations difficult.
Putting it into Practice: These cases illustrate that state attorneys general are using HIPAA, along with other state laws, as tools in their data breach investigation arsenal. Companies will want to take heed of these cases, as well as advice coming directly from state AGs (such as the NY recommendations we described recently). Measures to keep in mind include MFA, logging, HIPAA risk analyses, and appropriate workforce training.
About this Author
Jarrod Brodsky is an associate in the Corporate Practice Group in Sheppard Mullin’s Washington, D.C. office.
J.D., Georgetown University Law Center, 2020
B.A., New York University, 2014, magna cum laude
Sara Helene Shanti is a partner in the Corporate Practice Group in the firm’s Chicago office.
Areas of Practice
Shanti represents healthcare providers and technology companies in matters related to data privacy, healthcare regulatory compliance and mergers and acquisitions. She counsels clients on various data privacy and healthcare technology matters, including artificial intelligence, data security incidents, mobile applications, and telemedicine. Shanti’s experience includes advising clients on transferring data across multinational borders, implementing…
As a woman owned company, The National Law Review is a certified member of the Women's Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.


Leave a Reply

Your email address will not be published.