The New Jersey Division of Consumer Affairs has agreed to resolve a data breach investigation that identified violations of the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act.
Regional Cancer Care Associates located in Hackensack, NJ is a name for 3 healthcare companies that run healthcare services in 30 places in Connecticut, Maryland And New Jersey: Regional Cancer Care Associates LLC, RCCA MD LLC, and RCCA MSO LLC.
From April to June 2019, a number of email accounts of staff members were breached. Staff members had clicked on phishing emails and shared their credentials, which permitted the hackers to obtain access to their email accounts along with the protected health information (PHI) of over 105,000 people. The email accounts comprised PHI for instance names, driver’s license numbers, Social Security numbers, medical records, bank account details, and credit card information.
In July 2019, notification letters were delivered to 13,047 people by a third-party company; nonetheless, the letters were wrongly sent to the individuals’ next-of-kin. The notification letters exposed sensitive data for example the patient’s health conditions, which include cancer diagnoses, when authorization to share that details was not given by the patients.
Through the two occurrences, the PHI of over 105,000 persons was compromised or impermissibly exposed, such as the PHI of about 80,000 New Jersey citizens.
As per New Jersey Acting Attorney General Bruck, New Jerseyans struggling with cancer ought to never have to be worried about whether or not their healthcare providers are adequately protecting their personal data from cyber threats. Healthcare companies must use enough security measures to safeguard patient details, and companies that fail to do so will be held liable.
Allegedly, the providers have breached the HIPAA and the Consumer Fraud Act by
- faltering to make certain the confidentiality, availability and integrity of patient data
- not securing against sensibly predicted risks to the security/integrity of patient information
- not employing security procedures to lessen threats and vulnerabilities to a fair level
- not doing an appropriate and detailed risk assessment
- not having a security awareness and training plan for all individuals of its labor force.
Based on the conditions of the settlement, three organizations will pay a financial fine of $425,000 and need to employ more privacy and security steps to make sure the integrity, availability and confidentiality of PHI.
The providers have to use and manage a thorough information security system, a written incident response plan and cybersecurity operations center, utilize a CISO to manage cybersecurity, perform initial training for staff members and annual training on data privacy and security guidelines, and get a third-party analysis on policies and procedures concerning the collection, safe-keeping, upkeep, transmission, and disposal of patient files.
Division of Consumer Affairs Acting Director Sean P. Neafsey explained that organizations have an obligation to take important steps to protect protected health and personal information and to prevent unauthorized sharing of data. The Consumer Affairs investigation pointed out that RCCA didn’t totally adhere to HIPAA specifications, but the firms have decided to strengthen their security procedures to make certain to secure consumers’ data.
New Jersey is quite active in HIPAA enforcement. In the last couple of months, there were settlements arrived at with two firms for Consumer Fraud Act And HIPAA violations. A New Jersey fertility center paid a fine of $495,000 in October, and two printing firms paid a penalty of $130,000 in November.