Getty Images

Colorado AG Reaches Settlement With Skilled Nursing Center Over Data Breach

A skilled nursing facility in Colorado will pay a fine and take corrective actions for allegedly failing to protect patient and employee data during a 2021 data breach.

Colorado Attorney General Phil Weiser reached a settlement with Broomfield Skilled Nursing and Rehabilitation Center over a 2021 data breach. According to the announcement, Broomfield allegedly failed to protect the personal data of hundreds of patients and employees during the breach.

The settlement agreement requires the skilled nursing facility to pay a fine from $35,000 to $60,000 and implement a variety of corrective actions.

The settlement stemmed from an incident that began in March 2021, when Broomfield determined that two employee email accounts were compromised. The two accounts were not protected by multifactor authentication (MFA), despite the fact that most of the company email accounts had been subject to MFA.

The two inboxes contained thousands of emails containing personal, financial, and medical data, the press release stated. The data went as far back as 2016. The skilled nursing facility did not maintain a written data disposal authority, despite Colorado state law requiring it to do so. In addition, Broomfield did not disclose the incident until months later, despite the state’s 30-day disclosure requirement.

“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” Weiser said.

“While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”

The settlement requires the skilled nursing facility to develop an incident response plan, update its existing information security program, and develop a written paper and electronic data disposal policy, as required by Colorado state law.

In addition, the company must review safeguards on an annual basis and submit regular compliance reports to the attorney general. The settlement funds will be used to pay restitution and go toward future consumer fraud or antitrust enforcement and consumer education, the attorney general stated.

The case symbolizes the importance of complying not only with federal data protection laws, but also with varying state-level data privacy laws.

Next Steps

Dig Deeper on Health data access & privacy