Two printing/mailing vendors have agreed to settle an investigation by the state of New Jersey that alleged multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA). The settlement agreement includes a $130,000 financial penalty and a consent order that requires the companies to implement new security policies.
The two companies – Command Marketing Innovations (CMI) and Strategic Content Imaging (SCI) – are both based in New Jersey and were involved in a data breach that saw the personal and protected health information of almost 56,000 New Jersey residents impermissibly disclosed to other individuals.
The incident in question dates back to 2016 when the two companies were contracted with a large New Jersey managed healthcare organization to print and mail explanation of benefits statements. In 2016, SCI changed its printing processes which resulted in a printing error that caused the last page of an individual’s explanation of benefit statement to be associated with another member’s statement. The error occurred with mailings between October 31, 2016, and November 2, 2016, and affected 55,715 New Jersey residents.
The error was not identified by SCI and CMI and the explanation of benefits statements were mailed. The incorrectly associated sheets included information classed as PHI under HIPAA, such as claims numbers, dates of service, provider/facility names, and descriptions of services provided relating to the medical care individuals had received.
Under state and federal laws, business associates of health insurers are required to implement safeguards to ensure the confidentiality of sensitive data and to identify potential threats that could result in the exposure of that information. After being notified about the data breach, the New Jersey Division of Consumer Affairs (DCA) launched an investigation to determine if there had been a violation of state and federal laws.
New Jersey Acting Attorney General Andrew Bruck and the DCA announced on November 10, 2021, that the investigation determined the companies had violated the HIPAA Rules by failing to ensure the confidentiality of the PHI of 55,715 individuals, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures, as necessary, to ensure reasonable and appropriate protection of PHI.
SCI and CMI disputed the findings of the investigation but agreed to settle the case. Under the terms of the consent order, $65,000 of the financial penalty will be suspended from the settlement amount but must be paid if the companies fail to comply with the consent order.
The consent order requires the companies to change their business practices and adopt new security measures to better protect sensitive information and identify vulnerabilities and threats to PHI.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Andrew Bruck. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
The HITECH Act of 2009 gave state attorneys general the authority to pursue financial penalties for HIPAA violations. New Jersey is one of several states to have taken legal action against companies for HIPAA violations and has been one of the most active states in HIPAA cases in recent years.
In October 2021, Diamond Institute for Infertility and Menopause paid a financial penalty of $495,000 to resolve HIPAA violations that contributed to a breach of the PHI of 14,663 New Jersey residents, EmblemHealth paid the state $100,000 in 2019 over a mailing error that exposed the Social Security numbers of 6,443 state residents and, also in 2019, Best Transcription Medical paid a financial penalty of $200,000 over the exposure of the PHI of 1,650 individuals via the Internet. The state has also participated in several multi-state actions against other companies that violated HIPAA.