Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs.
Under the terms of the settlement announced by Acting Attorney General Andrew Bruck Dec. 15, the companies—collectively RCCA, all headquartered in Hackensack, but with 30 locations throughout New Jersey, Connecticut and Maryland—also agreed to adopt stricter privacy and security measures to safeguard PHI and personal information to resolve the investigation into alleged violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act.
“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” Bruck said in a statement. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”
Acting Attorney General Andrew Bruck. – EDWIN J. TORRES/GOVERNOR’S OFFICE
The first data breach involving RCCA occurred when email accounts of several RCCA employee were allegedly compromised through a targeted phishing scheme that allowed unauthorized access to patient data stored on those accounts between April 2019 and June 2019. Exposed information included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.
Then, in July 2019, while notifying clients of the initial breach, RCCA disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin, thus informing family members of relatives’ illnesses without their consent, according to state officials.
Providers that handle sensitive medical and client information are required under state and federal law to use appropriate safeguards to protect sensitive consumer information and identify potential threats. Also, under HIPAA, notification of a data breach to one’s next-of-kin is only permissible if the individual dies.
“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”
According to Bruck’s announcement, RCCA’s alleged HIPAA and Consumer Fraud Act violations include its failure to ensure the confidentiality, integrity, and availability of its clients’ patient data; protect against reasonably anticipated threats or hazards to the security or integrity of patient data; conduct an accurate and thorough risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of patient data; implement a security awareness and training program for all members of its workforce; and put in place security measures sufficient to reduce risks and vulnerabilities.
RCCA disputes the Division’s allegations but has agreed to implement additional privacy and security measures to heighten protection of PHI, which include implementing and maintaining a comprehensive information security program consisting of policies and procedures governing its collection, use and retention of patient data in accordance with applicable state and federal requirements; developing, implementing, and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, analyze,\ and respond to security incidents; employing a chief information security officer who will report directly to the CEO and the HIPAA Privacy and Security Officer; conducting initial training for all new employees and annual training for existing employees concerning its information privacy and security policies; and obtaining a third-party independent professional to assess its policies and practices pertaining to the collection, storage, maintenance, transmission, and disposal of patient data.
This settlement is the third reached by the Division in recent months as part of the Office of the Attorney General’s focus on Consumer Fraud Act and HIPPA violations in connection with data breaches that compromise PHI.
Section Chief Kashif Chand and Deputy Attorney General Gina Pittore of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group represented the state in the patient data breach matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.
A spokesperson for RCCA did not immediately respond to a request for comment.[/vc_column_text][/vc_column][/vc_row]
