The state of New Jersey has imposed another financial penalty to resolve violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act, its third penalty in as many months.
Regional Cancer Care Associates will pay a financial penalty of $425,000 and is required to implement a slew of measures to improve the privacy and security of healthcare data.
Regional Cancer Care Associates covers three companies headquartered in Hackensack, NJ – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC. The companies operate 30 healthcare facilities throughout New Jersey, Maryland, and Connecticut.
The NJ Attorney General and the Division of Consumer Affairs launched an investigation into two data breaches reported in 2019 that involved the protected health information (PHI) of 105,000 individuals, around 80,000 of whom are New Jersey residents.
The first data breach occurred between April 2019 and June 2019 and was the result of a targeted phishing campaign on the companies. Several employees responded to the phishing emails and disclosed their credentials, which allowed cyber threat actors to access their email accounts. The compromised email accounts contained a wealth of highly sensitive patient data, including names, Social Security numbers, driver’s license numbers, and financial information, including bank account numbers and credit/debit card numbers.
In July of the same year, an error was made sending breach notification letters to 13,047 living individuals. A third-party vendor sent the notification letters to those individuals’ next-of-kin, when such communications are only permitted when patients are deceased or if authorization is obtained in advance. The letters disclosed sensitive information to patients’ relatives, including cancer diagnoses.
The Division of Consumer Affairs identified multiple violations of HIPAA and the New Jersey Consumer Fraud Act during the investigation:
- A failure to conduct a thorough risk analysis to identify threats to the confidentiality, integrity, and availability of PHI
- A failure to protect against reasonably anticipated threats to the security/integrity of patient data
- A failure to implement security measures to reduce risks and vulnerabilities to an acceptable level
- A failure to ensure the confidentiality, integrity, and availability of patient data
- A failure to implement a security awareness and training program for all members of the workforce.
“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”
The agreed measures include:
- Implementation and maintenance of a comprehensive information security program
- Implementation and maintenance of a written incident response plan
- Creation of a cybersecurity operations center
- Hiring a CISO to oversee cybersecurity
- Implementing a training program and providing initial training for new employees and annual training on information privacy and security policies
- Arranging a third-party assessment of policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.
Last month, New Jersey Acting Attorney General Andrew Bruck announced a $130,000 settlement with two printing companies and a $495,000 penalty for a fertility clinic to resolve violations of the HIPAA and the New Jersey Consumer Fraud Act. Aside from the HHS’ Office for Civil Rights, New Jersey has been the most active enforcer of HIPAA compliance in 2021.