New Jersey Cancer Care Providers Settle Data Breach Claim

A trio of healthcare providers in New Jersey has agreed to pay $425,000 and adopt new security measures to settle a legal claim involving a double data breach. 

The state of New Jersey alleged that Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively "RCCA") failed to adequately safeguard the personal data and protected health information (PHI) of thousands of cancer patients.

More than 105,200 patients (including 80,333 New Jersey residents) were affected by two data breaches, both of which occurred in 2019. 

In the first incident, patient data was exposed when several RCCA employee email accounts were compromised in a phishing attack carried out between April and June. Sensitive data accessed in the attack included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.

The second data breach occurred in July, when a third-party vendor, hired by RCCA to mail out data breach notification letters to patients impacted by the incident, erroneously sent letters to patients' prospective next-of-kin.

Under the Health Insurance Portability and Accountability Act (HIPAA), notification of a data breach to a victim’s next-of-kin is allowed only in cases where the victim is deceased.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey's acting attorney general, Andrew Bruck. 

“We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fa ..

Support the originator by clicking the read the rest link below.