Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs today announced that two printing companies have agreed to pay $130,000 in penalties and to implement new security policies to resolve allegations they violated the New Jersey Consumer Fraud Act (CFA) and the federal Health Insurance Portability and Accountability Act ("HIPAA") in their handling of protected medical and client information.
According to Acting Attorney General Bruck, As businesses that provide mailing and printing services to a leading New Jersey-based managed healthcare organization, Command Marketing Innovations, LLC ("CMI"), and Strategic Content Imaging, LLC ("SCI"), allegedly failed to safeguard sensitive information and disclosed the personal and protected health information of approximately 55,715 New Jersey residents.
Acting Attorney General Bruck stated that specifically, CMI and SCI failed to detect a printing error that affected the explanation of benefits statements mailed to New Jersey residents from October 31, 2016, through November 2, 2016, and caused improper disclosure of protected health information (PHI) such as claims numbers, dates of service, provider and facility names, and the descriptions of services provided relating to medical care received by these New Jersey residents.
"Companies that handle sensitive personal and health information have a duty to protect patient privacy," said Acting Attorney General Bruck.
"Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk."
Business associates of health insurance providers that handle sensitive medical and client information such as CMI and SCI are required by state and federal law to implement and use appropriate safeguards to protect sensitive consumer information and spot potential threats.
The Division's investigation found the alleged CFA and HIPAA violations occurred when SCI changed its printing process in 2016, causing the back page of one member's statement to become associated with the front page of another member's statement.
The quality assurance systems of both SCI and CMI failed to identify the error.
Specifically, the companies allegedly violated HIPAA by:
- Failing to ensure the confidentiality of PHI
- Failing to protect against a reasonably anticipated unauthorized disclosure of PHI contained in the explanation of benefits statements
- Failing to review and modify security measures as necessary to ensure reasonable and appropriate protection of PHI
Although CMI and SCI dispute the Division's allegations, they have agreed to a Consent Order – filed today – requiring both companies to change their business practices and implement new measures to protect sensitive information better and identify vulnerabilities and threats. The reforms include:
- Implementing and maintaining a comprehensive security information program and event management tool to identify and track potential vulnerabilities and threats
- Appointing one employee for each company as its Chief Information Security Officer with the background and expertise in information security appropriate to implement, maintain, and monitor the information security program
- Appointing one employee for each company as a Chief Privacy Officer with documentation of their background and expertise in HIPAA compliance
- Subscribing to a personalized security awareness and anti-phishing training program and using the program to train their employees
- Obtaining approval from clients that keep or transmit health information before executing any material changes to their printing process
Under the terms of the Order, $65,000 will be suspended from the settlement amount provided the companies comply with the terms of the Consent Order.