- Select Prime members can get Kindle Unlimited for 3 months at no cost - here's how
- Modernization means putting developers in the driver’s seat
- Get a free iPhone 16 Pro for free from T-Mobile, no trade in required - here's how
- The LG C4 OLED for $800 off is one of the best Prime Day TV deals right now
- Prime members can save $10 on any $20 or more Grubhub+ order for a limited time - here's how
New Jersey Cancer Care Providers Settle Data Breach Claim
A trio of healthcare providers in New Jersey has agreed to pay $425,000 and adopt new security measures to settle a legal claim involving a double data breach.
The state of New Jersey alleged that Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively “RCCA”) failed to adequately safeguard the personal data and protected health information (PHI) of thousands of cancer patients.
More than 105,200 patients (including 80,333 New Jersey residents) were affected by two data breaches, both of which occurred in 2019.
In the first incident, patient data was exposed when several RCCA employee email accounts were compromised in a phishing attack carried out between April and June. Sensitive data accessed in the attack included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.
The second data breach occurred in July, when a third-party vendor, hired by RCCA to mail out data breach notification letters to patients impacted by the incident, erroneously sent letters to patients’ prospective next-of-kin.
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of a data breach to a victim’s next-of-kin is allowed only in cases where the victim is deceased.
“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey’s acting attorney general, Andrew Bruck.
“We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”
New Jersey accused RCCA of five violations, including a failure to protect against reasonably anticipated threats or hazards to the security or integrity of patient data, and failing to implement a security awareness and training program for all members of its workforce.
The RCCA companies, which are all headquartered in Hackensack, New Jersey, and have 30 locations throughout Connecticut, New Jersey, and Maryland, disputed the allegations.
However, the healthcare group agreed to a settlement consisting of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. RCCA also agreed to adopt new security measures, which included hiring a chief information security officer.
