A Warning to Think Outside the Risk Assessment Box – NJ Fines 2 Printers for HIPAA Violations

November 16, 2021  Jeff B. Copeland

Mailbox - Printers Fined for HIPAA ViolationsHere’s a good reminder to think broadly about assessing risk for your organization – the threat actors, the assets, the data you need to protect and the controls in place may not be the ones you usually focus on.

The case in point: The New Jersey attorney general and state consumer affairs office collected a $130,000 settlement from two printing and mailing companies accused of exposing the personal health information of 55,000 clients of an unnamed health insurance company.

According to the official statement, this data breach occurred when printed notices were mailed for the health insurer to some patients that included information about other patients on the back of the notices. The company employees (non-malicious insiders as threat actors, in FAIR™ cyber risk speak) allegedly didn’t check the notices before mailing to see the printing error, a vulnerability or controls failure to be sure. 

The AG accused the companies of violating HIPAA and state fraud law. According to the official announcement, business associates of HIPAA-covered organizations “are required by state and federal law to implement and use appropriate safeguards to protect sensitive consumer information and spot potential threats.” The companies agreed to a consent order without admitting guilt.

RiskLens offers a Cybersecurity Prioritization and Justification Solution for Healthcare Payers

The order also requires the two companies to change their business practices, to “better protect sensitive information and identify vulnerabilities and threats,” as the announcement says. Specifically, they must implement a “comprehensive information security program”, appoint a CISO and Chief Privacy Officer, and train employees in security awareness, including how to spot phishing attempts.

Note the language from the New Jersey authorities, straight out of cyber and information risk management, though the data breach in question came via snail mail (the result of a change in printing processes, according to the announcement).

It’s an interesting sign that regulators increasingly expect a standardized approach to risk such as FAIR™ (Factor Analysis of Information Risk), the model that powers the analytics on the RiskLens platform). FAIR applies equally to cyber, information, and operational risk, and provides a structured way to think through all the factors of a risk scenario and achieve an estimate of probable loss exposure – including fines and judgments from your local regulators.

Learn how you can get ahead of cybersecurity and information risk with FAIR and RiskLens - Contact Us.