NJ Provider Settles Two Healthcare Data Breach Investigations For $425K

Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC, known collectively as RCCA, will pay $425,000 and implement new security measures to settle two healthcare data breach investigations, New Jersey Acting Attorney General Andrew J. Bruck announced.

The Division of Consumer Affairs reached a settlement after alleging that the cancer care providers failed to sufficiently safeguard patient data, leading to protected health information (PHI) exposure for 105,200 individuals.

RCCA allegedly violated HIPAA and the New Jersey Consumer Fraud Act via two separate healthcare data breaches. The first breach occurred between April and June 2019, when RCCA employee email accounts were compromised through a targeted phishing scheme.

The phishing incident exposed driver’s license numbers, Social Security numbers, financial account numbers, health records, and payment card numbers.

In July 2019, RCCA allegedly caused a second breach when a third-party vendor improperly mailed breach notification letters intended for over 13,000 living patients by mailing them to next-of-kin. As a result, family members of living patients were informed of the patients’ illnesses without consent.

According to HIPAA, notifying a patient’s next-of-kin is only permissible if the patient is deceased.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” Bruck said in the announcement.

“We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

RCCA allegedly violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality and integrity of its clients’ data, failing to develop and implement a written incident response plan, and failing to employ a chief information security officer.

In addition, RCCA allegedly failed to conduct an initial cybersecurity and privacy training for new employees and failed to obtain a third-party independent professional to assess its policies pertaining to the collection, storage, and transmission of patient data.

As a result, RCCA will pay $353,820 in penalties and $71,180 in attorneys’ fees to settle the investigation.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” Sean P. Neafsey, Division of Consumer Affairs acting director, explained in the announcement.

“Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

RCCA agreed to implement a comprehensive information security program, develop a written incident response plan and cybersecurity operations center, and employee a chief information security officer who will report to the CEO and the HIPAA privacy and security officer.

In addition, the cancer care provider agreed to conduct initial cybersecurity training for new employees and annual training for existing employees and obtain a third-party professional to assess its data storage and management practices.

“Today’s settlement is the third settlement reached by the Division in recent months as part of the Office of the Attorney General’s commitment to hold companies accountable for Consumer Fraud Act and HIPPA violations in connection with data breaches that compromise patient data,” the announcement concluded.

Two New Jersey printing companies recently agreed to pay $130,000 in fines for PHI exposure and potential HIPAA violations.