On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.
In 2019, RCCA reported two separate data breaches, in total involving the protected health information of more than 105,200 individuals, including 80,333 New Jersey residents. The first breach occurred when RCCA employee email accounts were compromised through a targeted phishing scheme that enabled unauthorized access to patient data stored on those accounts, including health records, driver’s license numbers, Social Security numbers, financial account numbers and payment card numbers. The second occurred when a third-party vendor mailed notification letters to certain living patients’ next-of-kin, which is not permissible under HIPAA.
In connection with these breaches, the Division of Consumer Affairs alleged that RCCA violated the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules by failing to:
- ensure the confidentiality, integrity and availability of its clients’ patient data;
- protect against reasonably anticipated threats or hazards to the security or integrity of patient data;
- conduct an accurate and thorough risk assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of patient data;
- implement a security awareness and training program for all members of its workforce; and
- put in place security measures sufficient to reduce risks and vulnerabilities.
RCCA disputed these allegations, but agreed to settle the matter. In addition to the $425,000 fine (consisting of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs), RCCA also has agreed to the following privacy and security measures to safeguard individuals’ protected health information:
- implementing and maintaining a comprehensive information security program consisting of policies and procedures governing its collection, use and retention of patient data in accordance with applicable state and federal requirements;
- developing, implementing and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, analyze and respond to security incidents;
- employing a Chief Information Security Officer who will report directly to the Chief Executive Officer and the HIPAA Privacy and Security Officer;
- conducting an initial training for all new employees and annual training for existing employees concerning its information privacy and security policies; and
- obtaining a third-party independent professional to assess its policies and practices pertaining to the collection, storage, maintenance, transmission and disposal of patient data.
The New Jersey Acting Attorney General’s press release indicated that this settlement is the third settlement reached by the Division “as part of the Office of the Attorney General’s commitment to hold companies accountable for Consumer Fraud Act and HIPAA violations in connection with data breach that compromise patient data.” We previously reported on the first of these settlements.