January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

NJ Acting Attorney General Announces $425,000 Fine to Settle Breach Investigation

On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.

In 2019, RCCA reported two separate data breaches, in total involving the protected health information of more than 105,200 individuals, including 80,333 New Jersey residents. The first breach occurred when RCCA employee email accounts were compromised through a targeted phishing scheme that enabled unauthorized access to patient data stored on those accounts, including health records, driver’s license numbers, Social Security numbers, financial account numbers and payment card numbers. The second occurred when a third-party vendor mailed notification letters to certain living patients’ next-of-kin, which is not permissible under HIPAA.

In connection with these breaches, the Division of Consumer Affairs alleged that RCCA violated the New Jersey Consumer Fraud Act and HIPAA Privacy and Security Rules by failing to:

  • ensure the confidentiality, integrity and availability of its clients’ patient data;

  • protect against reasonably anticipated threats or hazards to the security or integrity of patient data;

  • conduct an accurate and thorough risk assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of patient data;

  • implement a security awareness and training program for all members of its workforce; and

  • put in place security measures sufficient to reduce risks and vulnerabilities.

RCCA disputed these allegations, but agreed to settle the matter. In addition to the $425,000 fine (consisting of $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs), RCCA also has agreed to the following privacy and security measures to safeguard individuals’ protected health information:

  • implementing and maintaining a comprehensive information security program consisting of policies and procedures governing its collection, use and retention of patient data in accordance with applicable state and federal requirements;

  • developing, implementing and maintaining a written incident response plan and cybersecurity operations center to prepare for, detect, analyze and respond to security incidents;

  • employing a Chief Information Security Officer who will report directly to the Chief Executive Officer and the HIPAA Privacy and Security Officer;

  • conducting an initial training for all new employees and annual training for existing employees concerning its information privacy and security policies; and

  • obtaining a third-party independent professional to assess its policies and practices pertaining to the collection, storage, maintenance, transmission and disposal of patient data.

The New Jersey Acting Attorney General’s press release indicated that this settlement is the third settlement reached by the Division “as part of the Office of the Attorney General’s commitment to hold companies accountable for Consumer Fraud Act and HIPAA violations in connection with data breach that compromise patient data.” We previously reported on the first of these settlements.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 364

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct