New Jersey Companies Settle State HIPAA Investigation and Pay $425,000 Penalty

The New Jersey attorney general has been the most active enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) in 2021, aside from the HHS’ Office for Civil Rights. In the past three months, three financial penalties have been imposed on HIPAA-covered entities and business associates that have failed to comply with the HIPAA Rules. The latest fine was announced this week.

Hackensack, NJ-based Regional Cancer Care Associates (RCCA), and two associated companies, RCCA MSO LLC, and RCCA MD LLC, agreed to settle alleged violations of HIPAA and the New Jersey Consumer Fraud Act that were uncovered during the investigation of two data breaches reported in 2019.

The first breach occurred between April and June 2019, when several employees were tricked into disclosing their credentials in a targeted phishing campaign. The attackers gained access to email accounts that contained patient data such as Social Security numbers, driver’s license numbers, health records, and financial information.

The second breach occurred in July 2019. When sending notification letters, RCCA’s third-party vendor sent letters to the next-of-kin of 13,047 living patients. The letters disclosed sensitive information such as cancer diagnoses.  Next-of-kin should only have been contacted if the patients were deceased or if prior authorization to contact those individuals had been obtained. Across the two data breaches, the protected health information of around 105,000 individuals was exposed or impermissibly disclosed, including the PHI of around 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Andrew Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The investigation by the Division of Consumer Affairs identified multiple violations of the New Jersey Consumer Fraud Act and HIPAA.

The companies had failed to:

  • Ensure the confidentiality, integrity, and availability of patient data
  • Conduct a comprehensive and accurate risk analysis
  • Protect against reasonably anticipated threats to the security and integrity of patient information
  • Implement security measures to reduce risks and vulnerabilities to a low and acceptable level
  • Implement a security awareness and training program for all members of the workforce.

The three companies chose to settle the case with no admission of liability, although they did not agree with the findings of the investigation. The settlement includes a financial penalty of $425,000 and the requirement to make privacy and security improvements.

The steps that have been agreed are to implement and maintain a comprehensive information security program, to develop, implement and maintain a written incident response plan, to create a cybersecurity operations center, to employ a CISO with responsibility for overseeing cybersecurity, and to develop and implement a security awareness and training program. The companies must also engage a third-party company to conduct a review of its policies and procedures covering the collection, storage, maintenance, transmission, and disposal of patient data.