Two cases of exposing patient personal information occurred in New Jersey but serve as warnings to all healthcare providers.
The state’s Division of Consumer Affairs has reached a settlement with three New Jersey-based providers of cancer care that the State alleges failed to adequately safeguard patient data, exposing the personal and protected health information of 105,200 consumers, including 80,333 New Jersey residents.
Under the terms of the settlement, Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively, “RCCA”)—all headquartered in Hackensack, but with 30 locations throughout New Jersey, Connecticut and Maryland—have agreed to pay $425,000 and adopt additional privacy and security measures to safeguard individuals’ protected health information and personal information to resolve the State’s investigation into alleged violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA).
“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said Acting Attorney General Andrew J. Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”
The first data breach involving RCCA occurred when several RCCA employee email accounts were compromised through a targeted phishing scheme that allowed unauthorized access to patient data stored on those accounts in April-June 2019. The protected information exposed included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.
Then, in July 2019, in the course of notifying clients of the initial breach, RCCA improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin. As a result of this second breach, family members of those cancer patients were informed of their relatives’ illnesses without their consent.
Under state and federal law, providers that handle sensitive medical and client information, such as RCCA, are required to implement and use appropriate safeguards to protect sensitive consumer information and identify potential threats. Additionally, pursuant to HIPAA, notification of a data breach to one’s next-of-kin is only permissible if the individual is deceased.
“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”
RCCA’s alleged HIPAA and Consumer Fraud Act violations include its failure to:
- ensure the confidentiality, integrity, and availability of its clients’ patient data;
- protect against reasonably anticipated threats or hazards to the security or integrity of patient data;
- conduct an accurate and thorough risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of patient data;
- implement a security awareness and training program for all members of its workforce; and
- put in place security measures sufficient to reduce risks and vulnerabilities.
While RCCA disputes the Division’s allegations, it has agreed to implement additional privacy and security measures to improve the protection of consumers’ information. These include:
- implementing and maintaining a comprehensive information security program consisting of policies and procedures governing its collection, use, and retention of patient data in accordance with applicable state and federal requirements;
- developing, implementing, and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, analyze, and respond to security incidents;
- employing a Chief Information Security Officer who will report directly to the Chief Executive Officer and the HIPAA Privacy and Security Officer;
- conducting an initial training for all new employees and annual training for existing employees concerning its information privacy and security policies; and
- obtaining a third-party independent professional to assess its policies and practices pertaining to the collection, storage, maintenance, transmission, and disposal of patient data.
The settlement consists of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs.
In October, Acting Attorney General Bruck announced a settlement agreement that required a fertility clinic to implement additional data security measures and pay the state $495,000. In November, a $130,000 settlement was reached with two printing companies that worked with a leading New Jersey-based managed healthcare organization and that also agreed to implement new security policies.
