Hackensack, N.J.-based Regional Cancer Care Associates will pay $425,000 and implement new privacy and security measures to settle a 2019 data breach that exposed 105,200 patients' information, the New Jersey acting attorney general's office said Dec. 15.
Five details:
1. The settlement is the result of the state's investigation into alleged violations of HIPAA and the New Jersey Consumer Fraud Act.
2. Under the agreement, Regional Cancer Care Associates, RCCA MSO and RCCA MD will pay the financial settlement and implement additional privacy and security measures to protect private health information. RCCA comprises 30 locations across New Jersey, Connecticut and Maine.
3. The first data breach occurred in April-June 2019 when several RCCA employee email accounts were compromised through a targeted phishing scheme. Unauthorized users were able to access patient information including health records, Social Security numbers, driver's license numbers and financial data.
4. In July 2019, when notifying clients of the initial breach, RCCA improperly disclosed patient data when a third-party vendor improperly mailed notification letters for 13,047 living patients by sending the letters to those patients' next of kin.
5. RCCA disputed the state's allegations but has agreed to the settlement and said it will implement additional privacy measures, including hiring a chief information security officer and providing training for all employees on its information privacy and security policies.