The state of Colorado has settled with Broomfield Skilled Nursing and Rehabilitation Center for not protecting the personal data of hundreds of residents, patients and employees before and during a 2021 data breach. The skilled nursing facility will pay a fine of at least $35,000 and be required to upgrade its information security systems.
All due to the fact that two of its computers did not have dually protected emails accounts and were compromised.
“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” State Attorney General Phil Weiser said Friday in a statement.
In March 2021, Broomfield discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, those two email accounts were not protected, officials said.
The breached inboxes contained tens of thousands of emails, Weiser explained. Some emails contained personal, financial and medical data for hundreds of current and former residents, patients and employees, including emails containing personal data going back as far as 2016.
Broomfield had no written data disposal policy even though it is required by state law, according to the attorney general’s office. In addition, the facility also waited months to notify those affected, even though the law requires notification to occur within 30 days, Weiser said.
Under the terms of the settlement agreement, Broomfield will pay a fine of $35,000 to $60,000, depending on restitution and future antitrust enforcement needs. The company also will develop a written paper and electronic data disposal policy and update its security protocols.
The settlement funds may be used to pay restitution and for future consumer fraud or antitrust enforcement, consumer education or public welfare purposes, Weiser said.
The Broomfield Skilled Nursing and Rehabilitation Center became Adara Living in February 2022, with the same ownership and staff, according to a post on social media.
So far in 2023, the number of cybersecurity incidents within healthcare has increased by a whopping 104% — affecting 40 million individuals — over the same time period last year, a report from Fortified Health Security shows.
