The New Jersey Division of Consumer Affairs has reported a settlement of a data breach investigation that involved violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)
Regional Cancer Care Associates based in Hackensack, NJ is an umbrella name for three healthcare organizations that manage healthcare facilities in 30 areas in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.
Between April and June 2019, certain email accounts of employees were exposed. Employees had responded to targeted phishing emails and revealed their credentials, which granted the scammers to get access to their email accounts as well as the protected health information (PHI) of more than 105,000 people. The email accounts included PHI including names, Social Security numbers, driver’s license numbers, health records, bank account data, and credit card data.
In July 2019, breach notification letters were mailed to 13,047 persons by a third-party provider; nevertheless, the letters were mailed by mistake to the persons’ next-of-kin. The notification letters showed sensitive details like the patient’s medical conditions, such as cancer diagnoses, when permission to disclose that data was not provided by the patients.
In the two cases, the PHI of over 105,000 persons was compromised or impermissibly disclosed, which includes the PHI of about 80,000 New Jersey locals.
According to New Jersey Acting Attorney General Bruck, New Jerseyans fighting cancer must never have to stress about whether their medical care providers are appropriately securing their personal details from cyber threats. Healthcare companies should implement sufficient security measures to protect patient information, and companies that fall short will be held accountable.
Allegedly, the organizations have violated the HIPAA and the Consumer Fraud Act by
- not being able to make sure the confidentiality, integrity, and availability of patient information
- not protecting against fairly expected threats to the security/integrity of patient data
- not implementing security procedures to minimize risks and vulnerabilities to an acceptable level
- not conducting an accurate and extensive risk assessment
- not implementing a security awareness and training course for all members of its workforce.
As per the terms of the settlement, three organizations will pay a financial penalty of $425,000 and have to employ additional privacy and security steps to make certain the integrity, confidentiality, and availability of PHI.
The companies must use and adopt a detailed information security plan, a written incident response plan, and cybersecurity operations center, use a CISO to supervise cybersecurity, carry out initial training for workers and annual training on information privacy and security policies, and acquire a third-party evaluation on policies and procedures associated with the collection, storage, maintenance, transmission, and disposal of patient information.
Division of Consumer Affairs Acting Director Sean P. Neafsey stated that organizations have a responsibility to take purposeful steps to protect protected health and personal data and to avert unauthorized disclosures. The Consumer Affairs investigation showed that RCCA did not completely follow HIPAA requirements, but the firms have decided to enhance their security measures to make sure to secure consumers’ information.
New Jersey is very active in HIPAA enforcement. In the past few months, there were settlements reached with two companies for HIPAA and the Consumer Fraud Act violations. A New Jersey fertility clinic paid a fine of $495,000 in October, and two printing businesses paid a penalty of $130,000 in November.