The state of Colorado has settled with Broomfield Skilled Nursing and Rehabilitation Center for not protecting the personal data of hundreds of residents, patients and employees before and during a 2021 data breach. The skilled nursing facility will pay a fine and be required to upgrade its information security systems.
“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” state Attorney General Phil Weiser said Friday in a statement. “While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”
In March 2021, according to the attorney general, Broomfield discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, those two email accounts were not protected. The breached inboxes contained tens of thousands of emails, Weiser said. Some emails contained personal, financial and medical data for hundreds of current and former residents, patients and employees, including emails containing personal data going back as far as 2016.
Broomfield had no written data disposal policy even though it is required by state law, according to the attorney general’s office. In addition, the facility also waited months to notify those affected, even though the law requires notification to occur within 30 days, Weiser said.
Under the terms of the settlement agreement, Broomfield will pay a fine of $35,000 to $60,000. The company also will develop a written paper and electronic data disposal policy, update its security protocols, review the safeguards it has put in place at least once a year, develop an incident response plan and submit regular compliance reports to the attorney general.
The settlement funds may be used to pay restitution and for future consumer fraud or antitrust enforcement, consumer education or public welfare purposes, Weiser said.
The Broomfield Skilled Nursing and Rehabilitation Center became Adara Living in February 2022, with the same ownership and staff, according to a post on social media.
In total, the healthcare sector witnessed a 45% surge in cyber attacks in 2021 alone.
So far in 2023, the number of cybersecurity incidents within healthcare has increased by a whopping 104% — affecting 40 million individuals — over the same time period last year, a report from Fortified Health Security shows.
