NJ Acting AG Bruck Reaches Settlement with Two Printing Companies over Improper Disclosures of Protected Health Information
The following press release concerns breaches that occurred five years ago.
NEWARK – Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs today announced that two printing companies have agreed to pay $130,000 in penalties and to implement new security policies to resolve allegations they violated the New Jersey Consumer Fraud Act (CFA) and the federal Health Insurance Portability and Accountability Act (“HIPAA”) in their handling of protected medical and client information.
As businesses that provide mailing and printing services to a leading New Jersey-based managed healthcare organization, Command Marketing Innovations, LLC (“CMI”), and Strategic Content Imaging, LLC (“SCI”), allegedly failed to safeguard sensitive information and disclosed the personal and protected health information of approximately 55,715 New Jersey residents.
Specifically, CMI and SCI failed to detect a printing error that affected explanation of benefits statements mailed to New Jersey residents from October 31, 2016, through November 2, 2016, and caused improper disclosure of protected health information (PHI) such as claims numbers, dates of service, provider and facility names, and the descriptions of services provided relating to medical care received by these New Jersey residents.
“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures is unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”
“Our commitment is to ensure that anyone who handles protected information properly safeguards that information,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “We are pleased CMI and SCI have agreed to implement new practices to protect consumers’ information.”
Business associates of health insurance providers that handle sensitive medical and client information such as CMI and SCI are required by state and federal law to implement and use appropriate safeguards to protect sensitive consumer information and spot potential threats.
The Division’s investigation found the alleged CFA and HIPAA violations occurred when SCI changed its printing process in 2016, causing the back page of one member’s statement to become associated with the front page of another member’s statement. The quality assurance systems of both SCI and CMI failed to identify the error.
Specifically, the companies allegedly violated HIPAA by:
Although CMI and SCI dispute the Division’s allegations, they have agreed to a Consent Order – filed today – that requires both companies to change their business practices and implement new measures to better protect sensitive information and identify vulnerabilities and threats. The reforms include:
Under the terms of the Order, $65,000 will be suspended from the settlement amount provided the companies comply with the terms of the Consent Order.
Section Chief Kashif Chand, Deputy Attorneys General Thomas Huynh and Gina Pittore of the Data Privacy & Cybersecurity Section, and Deputy Attorney General Carla Pereira of the Government & Healthcare Fraud Section, represent the State in the matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.
Source: New Jersey Attorney General’s Office