A trio of healthcare providers in New Jersey has agreed to pay $425,000 and adopt new security measures to settle a legal claim involving a double data breach.
The state of New Jersey alleged that Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively “RCCA”) failed to adequately safeguard the personal data and protected health information (PHI) of thousands of cancer patients.
More than 105,200 patients (including 80,333 New Jersey residents) were affected by two data breaches, both of which occurred in 2019.
In the first incident, patient data was exposed when several RCCA employee email accounts were compromised in a phishing attack carried out between April and June. Sensitive data accessed in the attack included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.
The second data breach occurred in July, when a third-party vendor, hired by RCCA to mail out data breach notification letters to patients impacted by the incident, erroneously sent letters to patients’ prospective next-of-kin.
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of a data breach to a victim’s next-of-kin is allowed only in cases where the victim is deceased.
“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey’s acting attorney general, Andrew Bruck.
“We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”
New Jersey accused RCCA of five violations, including a failure to protect against reasonably anticipated threats or hazards to the security or integrity of patient data, and failing to implement a security awareness and training program for all members of its workforce.
The RCCA companies, which are all headquartered in Hackensack, New Jersey, and have 30 locations throughout Connecticut, New Jersey, and Maryland, disputed the allegations.
However, the healthcare group agreed to a settlement consisting of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. RCCA also agreed to adopt new security measures, which included hiring a chief information security officer.