Privacy Briefs: January 2022

◆ New Jersey issued its third settlement in three months on state-level health care privacy and security laws, announcing that three cancer care providers would adopt new security measures and pay $425,000 to settle an investigation into two data breaches.[1] Acting Attorney General Andrew Bruck said that Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, RCCA) experienced breaches that potentially exposed personal and protected health information of 105,200 consumers, including 80,333 New Jersey residents. The first data breach occurred “when several RCCA employee email accounts were compromised through a targeted phishing scheme that allowed unauthorized access to patient data stored on those accounts in April-June 2019. The protected information exposed included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers,” the state said. “Then, in July 2019, in the course of notifying clients of the initial breach, RCCA improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin. As a result of this second breach, family members of those cancer patients were informed of their relatives’ illnesses without their consent,” the state explained. “The settlement consists of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs.” Although RCCA disputes the allegations, it has agreed to additional privacy and security measures, including implementing and maintaining a comprehensive information security program; developing, implementing and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, and respond to security incidents; conducting training; employing a chief information security officer; and obtaining a third-party independent professional to assess patient data policies and practices. In October, Bruck announced two settlement agreements that included payments and additional security measures.[2]

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field