New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations
The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)
Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.
Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.
In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.
Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.
“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”
The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.
Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.
The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.
“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”
New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.