Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

New Jersey provider settles data breach investigations

New Jersey provider settles data breach investigations

Regional Cancer Care Associates ( RCCA) in New Jersey recently settled two healthcare data breach investigations. The announcement came after NJ’s Division of Consumer Affairs finished its investigation against RCCA LLC, MSO LLC, and MD LLC. And after the state acknowledged settlements with two other New Jersey covered entities.

RELATED: 2 NJ printing companies fined for HIPAA violations, PHI exposure

These providers are just three of several U.S. healthcare organizations hit with HIPAA violations, fines, and corrective action plans ( CAPs). Unfortunately, the data breaches occurred because of noncompliance with HIPAA and state laws.

SEE ALSO: Understanding and implementing HIPAA rules

To avoid punitive steps and costs, healthcare providers must properly demonstrate strong security (such as sending HIPAA compliant email) to safeguard protected health information ( PHI).

 

The initial breaches

The first breach related to New Jersey's recent settlement occurred between April and June 2019 when a cyberattacker compromised RCCA's employee email accounts through a targeted phishing attack.

RELATED: Business email compromise: how to protect yourself

Personally identifiable information ( PII) and PHI exposed included:

 

Name Date of Birth Address Health Information
Treatment and diagnosis information Physician information Prescription information Health insurance information

 

And for some, driver’s license numbers, Social Security numbers, and financial account information.

SEE ALSO: What to do after you violate HIPAA

The second breach occurred in July 2019. A third-party vendor (i.e., business associate) improperly emailed breach notification letters intended for 13,047 patients to next-of-kin rather than the patients themselves. In total, the breaches exposed the PII/PHI of 105,200 individuals. The U.S. Office for Civil Rights lists the breach on its Breach Notification Portal as a hacking/IT incident against RCCA MSO LLC.

 

The investigation

Under state and federal law, healthcare providers must implement and use appropriate safeguards to protect information and identify potential threats. NJ’s investigation found that RCCA violated HIPAA and the New Jersey Consumer Fraud Act.

RELATED: What is a HIPAA violation?

RCCA failed to:

  • Ensure the confidentiality and integrity of PII/PHI
  • Reasonably protect against cyber threats
  • Employ cybersecurity measures that reduce risks and vulnerabilities
  • Conduct an accurate and thorough risk assessment
  • Implement a thorough training program

 

And with the second breach, RCCA failed to appropriately notify affected individuals. The HIPAA Breach Notification Rule sets the guidelines for reporting breaches; notifying next-of-kin is only permissible if a patient is deceased. While RCCA disputes the findings, the providers have agreed to the settlement terms.

 

The settlement

In the announcement, Division of Consumer Affairs Acting Director Sean P. Neafsey said, “Our investigation revealed RCCA failed to fully comply . . . and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected." RCCA will pay $353,820 in penalties and $71,180 in attorneys’ fees, $425,000 in total.

Besides the fines, RCCA must implement the following CAP:

  • A comprehensive information security program
  • A written incident response plan
  • A cybersecurity operations center with a chief information security officer
  • Initial cybersecurity training for new employees as well as annual training
  • A third-party professional to assess vendor practices

 

There is no mention of a timeframe for the healthcare provider to fulfill the changes. But given the need for strong cybersecurity, it would be smart for RCCA to make the alterations sooner than later.

 

Compliance is vital before a breach occurs

The best way to avoid a breach, fine, and CAP is to comply with state and federal laws. Such laws are designed to help organizations avoid cyber disasters.

RELATED: Your cybersecurity strategy is probably lacking

This means using a strong, layered cybersecurity program that protects all possible threat vectors and attack surfaces. RCCA’s CAP addresses this. For example, a risk assessment is the first step toward HIPAA compliance and finding all vulnerabilities and weaknesses. Furthermore, consistent and up-to-date policies and employee awareness training stop employees (i.e., the weakest link) from inadvertently sharing access.

Along with training (which is not enough on its own), organizations must ensure strong technical and physical access controls. These controls include password policies and multifactor authentication, encryption at rest and  in transit, and  antivirus software. Additionally, separate offline backup and separate storage systems halt hackers from having any access to PHI, even after a breach. Finally, strong email security keeps phishing emails (like those used to breach RCCA) from becoming an issue in the first place.

RELATEDWhy healthcare providers should use HIPAA compliant email

Preparation and compliance are key to dodging breaches and violations on the federal and state level.

 
Try Paubox Email Suite for FREE today.
 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.