Broomfield Skilled Nursing and Rehabilitation Center, an assisted living facility in Broomfield, will pay a fine and be required to upgrade its information security systems following a 2021 data breach that exposed the personal data of hundreds of current and former patients and employees.
In March of that year, the facility discovered two employee email accounts had been compromised. The company had established two-factor authentication for access to its email system, but the two accounts were not protected. Tens of thousands of emails in those two accounts contained personal, financial and medical data, some of it dating back to 2016.
The Colorado Attorney General's Office announced the settlement Friday.
"Every cybersecurity threat is potentially devastating, but it's particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees," Attorney General Phil Weiser stated in a press release. "While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws."
The office also criticized the business's response, accusing it of waiting months before notifying those affected. Businesses are legally required to do so within 30 days.
Broomfield Skilled Nursing and Rehabilitation Center also broke state law by not having a paper and electronic data disposal policy in place, the office alleged.
Broomfield Skilled Nursing agreed to pay between $35,000 and $60,000, to develop that disposal policy and an incident response plan, to make other updates to its information security systems, to review annually the safeguards put in place and submit compliance reports, and to cooperate with investigations by state monitors.
for more features.