3 min read
Regional Cancer Care Associates ( RCCA) in New Jersey recently settled two healthcare data breach investigations. The announcement came after NJ’s Division of Consumer Affairs finished its investigation against RCCA LLC, MSO LLC, and MD LLC. And after the state acknowledged settlements with two other New Jersey covered entities.
These providers are just three of several U.S. healthcare organizations hit with HIPAA violations, fines, and corrective action plans ( CAPs). Unfortunately, the data breaches occurred because of noncompliance with HIPAA and state laws.
The initial breaches
Personally identifiable information ( PII) and PHI exposed included:
|Date of Birth
|Treatment and diagnosis information
|Health insurance information
And for some, driver’s license numbers, Social Security numbers, and financial account information.
SEE ALSO: What to do after you violate HIPAA
The second breach occurred in July 2019. A third-party vendor (i.e., business associate) improperly emailed breach notification letters intended for 13,047 patients to next-of-kin rather than the patients themselves. In total, the breaches exposed the PII/PHI of 105,200 individuals. The U.S. Office for Civil Rights lists the breach on its Breach Notification Portal as a hacking/IT incident against RCCA MSO LLC.
Under state and federal law, healthcare providers must implement and use appropriate safeguards to protect information and identify potential threats. NJ’s investigation found that RCCA violated HIPAA and the New Jersey Consumer Fraud Act.
RELATED: What is a HIPAA violation?
RCCA failed to:
- Ensure the confidentiality and integrity of PII/PHI
- Reasonably protect against cyber threats
- Employ cybersecurity measures that reduce risks and vulnerabilities
- Conduct an accurate and thorough risk assessment
- Implement a thorough training program
And with the second breach, RCCA failed to appropriately notify affected individuals. The HIPAA Breach Notification Rule sets the guidelines for reporting breaches; notifying next-of-kin is only permissible if a patient is deceased. While RCCA disputes the findings, the providers have agreed to the settlement terms.
In the announcement, Division of Consumer Affairs Acting Director Sean P. Neafsey said, “Our investigation revealed RCCA failed to fully comply . . . and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected." RCCA will pay $353,820 in penalties and $71,180 in attorneys’ fees, $425,000 in total.
Besides the fines, RCCA must implement the following CAP:
- A comprehensive information security program
- A written incident response plan
- A cybersecurity operations center with a chief information security officer
- Initial cybersecurity training for new employees as well as annual training
- A third-party professional to assess vendor practices
There is no mention of a timeframe for the healthcare provider to fulfill the changes. But given the need for strong cybersecurity, it would be smart for RCCA to make the alterations sooner than later.
Compliance is vital before a breach occurs
The best way to avoid a breach, fine, and CAP is to comply with state and federal laws. Such laws are designed to help organizations avoid cyber disasters.
This means using a strong, layered cybersecurity program that protects all possible threat vectors and attack surfaces. RCCA’s CAP addresses this. For example, a risk assessment is the first step toward HIPAA compliance and finding all vulnerabilities and weaknesses. Furthermore, consistent and up-to-date policies and employee awareness training stop employees (i.e., the weakest link) from inadvertently sharing access.
Along with training (which is not enough on its own), organizations must ensure strong technical and physical access controls. These controls include password policies and multifactor authentication, encryption at rest and in transit, and antivirus software. Additionally, separate offline backup and separate storage systems halt hackers from having any access to PHI, even after a breach. Finally, strong email security keeps phishing emails (like those used to breach RCCA) from becoming an issue in the first place.
Preparation and compliance are key to dodging breaches and violations on the federal and state level.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.