2 State AGs Slap DNA Testing Lab With HIPAA Fines for HackCompromised Database With PHI on 2.1M People Had Not Been Used for a Decade
The attorneys general of Pennsylvania and Ohio have slapped a DNA testing lab with HIPAA settlements totaling $400,000 in the wake of a 2021 hack of a legacy database that affected 2.1 million individuals nationwide, including nearly 46,000 consumers in the two states.
Under the Pennsylvania and Ohio settlements with DNA Diagnostics Center, the Fairfield, Ohio-based company also agreed to implement improvements to its data security, including updating asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.
DNA Diagnostics Center's hacking incident involved an archived database associated with another national genetic testing organization system that DDC acquired in 2012. But that system had never been used in DDC’s operations and had not been active since 2012, DDC said in its breach notification statement in 2021 (see: DNA Testing Firm: 2.1 Million Affected by Legacy Database Hack).
Data contained in the compromised legacy database was collected between 2004 and 2012.
The breach exposed Social Security numbers and other personal data of about 33,300 consumers in Ohio and about 12,600 in Pennsylvania, the two states say. DNA Diagnostics Center has agreed to pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.
DNA Diagnostics had hired a third party to conduct data breach monitoring prior to the 2021 incident, the attorneys general say. But after detecting a breach in May 2021, "the contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months," they said.
During those two months, the attackers installed malware in the company's network and extracted data. The stolen data wasn't DNA Diagnostics' customer information but rather data contained in the legacy database of the other company - Orchid Cellmark - that the lab had acquired in 2012 to expand its business portfolio, the states say.
Prior to the breach, DNA Diagnostics had conducted an inventory assessment and penetration test on its systems but the legacy database that stored sensitive information in plain text was not identified because the assessments only looked at active customer data, the attorneys general say.
"The joint investigation by Ohio and Pennsylvania found DNA Diagnostics made unfair and deceptive statements about their cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, unnecessarily exposing its consumers to harm," the joint statement by the attorneys general says.
DNA Diagnostics Center did not immediately respond to Information Security Media Group's request for comment on the settlements and whether the company was also defending itself against pending enforcement actions by any other states.
The HIPAA enforcement actions against DNA Diagnostic Center are the latest taken by state attorneys general against a healthcare sector entity in the aftermath of a breach.
In January, Salt Lake City-based Avalon Health Care Management agreed to a $200,000 settlement with the attorneys general of Utah and Oregon in the wake of a phishing email data breach affecting 14,500 individuals. The company delayed reporting the breach to state and federal regulators for 10 months -many months over the 60-day deadline set by HIPAA (see: Senior Healthcare Firm Pays Breach Settlement to States).
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy, security and breach notification rules.