NJ AG Fines Cancer Center in Two Related 2019 PHI BreachesEntity Also Agrees to Bolster Data Security, Privacy Practices
A New Jersey cancer treatment center and two of its affiliated entities have agreed to pay $425,000 and to bolster data security and privacy practices in a settlement with state regulators in the wake of two related 2019 data breaches affecting a total of 105,200 consumers in several states, including more than 80,000 New Jersey residents.
In a statement Wednesday, the New Jersey Office of the Attorney General and its Division of Consumer Affairs said Regional Cancer Care Associates LLC and its two affiliates, RCCA MSO LLC and RCCA MD LLC, have agreed to a settlement to resolve the state's investigation into alleged violations of HIPAA and the New Jersey Consumer Fraud Act involving two breaches of protected health information.
All three RCCA entities are headquartered in Hackensack, New Jersey, but they have 30 locations in New Jersey, Connecticut and Maryland.
The RCCA settlement payment includes nearly $354,000 in penalties and more than $71,000 in attorneys' fees and investigative costs.
The state's consent order also calls for RCCA to implement additional privacy and security measures to improve protection of consumers' information.
The state says RCCA's first breach occurred in May 2019, when several of the cancer center's employee email accounts had been compromised in a targeted phishing scheme that resulted in unauthorized access to patient information stored in those accounts from April 2019 to June 2019.
Compromised information in that incident included patients' health records, driver's license numbers, Social Security numbers, financial account numbers and payment card numbers, the attorney general's statement says.
Among other security weaknesses, at the time of the May 2019 phishing incident, RCCA did not have multifactor authentication implemented and did not utilize a security information and event management program, the state's investigation found.
The second breach occurred in July 2019 during the process of notifying individuals about the first breach. State regulators say RCCA improperly disclosed patient data when a third-party vendor mailed notification letters intended for 13,047 living patients and addressed the letters to those patients’ prospective next of kin.
"As a result of this second breach, family members of those cancer patients were informed of their relatives' illnesses without their consent," the statement says.
"New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyberthreats," acting Attorney General Andrew Bruck says in the statement. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short."
Bolstering Data Protection
Under its agreement with the state, RCCA must take steps to improve protection of patient data, including:
- Implementing and maintaining a comprehensive information security program consisting of patient data collection, use and retention policies and procedures that are compliant with state and federal requirements;
- Developing, implementing and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, analyze and respond to security incidents;
- Employing a CISO who will report directly to the CEO and the HIPAA privacy and security officer;
- Conducting an initial training for all new employees and annual training for existing employees concerning RCCA's information privacy and security policies;
- Obtaining a third-party independent professional to assess RCCA's policies and practices pertaining to the collection, storage, maintenance, transmission and disposal of patient data.
RCCA did not immediately respond to Information Security Media Group's request for comment.
The settlement with RCCA is the latest enforcement action by the New Jersey Office of the Attorney General and Division of Consumer Affairs involving alleged violations of HIPAA and the state's consumer fraud law.
In November, the office announced a $130,000 financial settlement and corrective action plan with two printing companies - Command Marketing Innovations and Strategic Content Imaging - for their involvement in a 2016 explanation of benefits mailing mishap that compromised the PHI of nearly 56,000 residents (see: NJ AG Smacks 2 Printing Firms with Hefty Fine in PHI Breach).
In October, the office announced a $495,000 financial settlement and corrective action plan with a fertility clinic, Diamond Institute for Infertility and Menopause LLC, related to a hacking incident reported in April 2017.
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
Other Mailing Mishaps
The attorney general's settlement with RCCA , as well as the office's November settlement with Command Marketing Innovations and Strategic Content Imaging, are among the latest enforcement actions by state regulators for PHI breaches involving mailing mishaps.
In a July 2017 mailing mishap, a vendor for health insurer Aetna sent letters to about 12,000 health plan members that revealed through the envelopes' oversized, clear window that the recipient was taking HIV-related medication.
That incident resulted in a total of about $3 million in settlements between Aetna and the attorneys general of several states, including New Jersey, New York, Connecticut and California, as well as Washington, D.C. It also resulted in a $17.2 million settlement of a civil class action lawsuit filed against the company.
Breach cases involving mailings and similar mishaps spotlight the importance of not only protecting electronic PHI but also paper-based PHI under HIPAA and personally identifiable information under state or international laws, says privacy attorney Iliana Peters of the law firm Polsinelli.
"While we all coordinate closely with IT teams and IT vendors to ensure we continue to 'up our game' on the data security for our enterprises, we cannot lose sight of concerns that result from mis-mailing, mis-faxing, and other non-cyber-related issues, as they too can create significant risk for entities both in the healthcare sector and otherwise."