Regional Cancer Care Associates ( RCCA) in New Jersey recently settled two healthcare data breach investigations. The announcement came after NJ’s Division of Consumer Affairs finished its investigation against RCCA LLC, MSO LLC, and MD LLC. And after the state acknowledged settlements with two other New Jersey covered entities.
RELATED: 2 NJ printing companies fined for HIPAA violations, PHI exposure
These providers are just three of several U.S. healthcare organizations hit with HIPAA violations, fines, and corrective action plans ( CAPs). Unfortunately, the data breaches occurred because of noncompliance with HIPAA and state laws.
SEE ALSO: Understanding and implementing HIPAA rules
To avoid punitive steps and costs, healthcare providers must properly demonstrate strong security (such as sending HIPAA compliant email) to safeguard protected health information ( PHI).
The first breach related to New Jersey's recent settlement occurred between April and June 2019 when a cyberattacker compromised RCCA's employee email accounts through a targeted phishing attack.
RELATED: Business email compromise: how to protect yourself
Personally identifiable information ( PII) and PHI exposed included:
Name | Date of Birth | Address | Health Information |
Treatment and diagnosis information | Physician information | Prescription information | Health insurance information |
And for some, driver’s license numbers, Social Security numbers, and financial account information.
SEE ALSO: What to do after you violate HIPAA
The second breach occurred in July 2019. A third-party vendor (i.e., business associate) improperly emailed breach notification letters intended for 13,047 patients to next-of-kin rather than the patients themselves. In total, the breaches exposed the PII/PHI of 105,200 individuals. The U.S. Office for Civil Rights lists the breach on its Breach Notification Portal as a hacking/IT incident against RCCA MSO LLC.
Under state and federal law, healthcare providers must implement and use appropriate safeguards to protect information and identify potential threats. NJ’s investigation found that RCCA violated HIPAA and the New Jersey Consumer Fraud Act.
RELATED: What is a HIPAA violation?
RCCA failed to:
And with the second breach, RCCA failed to appropriately notify affected individuals. The HIPAA Breach Notification Rule sets the guidelines for reporting breaches; notifying next-of-kin is only permissible if a patient is deceased. While RCCA disputes the findings, the providers have agreed to the settlement terms.
In the announcement, Division of Consumer Affairs Acting Director Sean P. Neafsey said, “Our investigation revealed RCCA failed to fully comply . . . and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected." RCCA will pay $353,820 in penalties and $71,180 in attorneys’ fees, $425,000 in total.
Besides the fines, RCCA must implement the following CAP:
There is no mention of a timeframe for the healthcare provider to fulfill the changes. But given the need for strong cybersecurity, it would be smart for RCCA to make the alterations sooner than later.
The best way to avoid a breach, fine, and CAP is to comply with state and federal laws. Such laws are designed to help organizations avoid cyber disasters.
RELATED: Your cybersecurity strategy is probably lacking
This means using a strong, layered cybersecurity program that protects all possible threat vectors and attack surfaces. RCCA’s CAP addresses this. For example, a risk assessment is the first step toward HIPAA compliance and finding all vulnerabilities and weaknesses. Furthermore, consistent and up-to-date policies and employee awareness training stop employees (i.e., the weakest link) from inadvertently sharing access.
Along with training (which is not enough on its own), organizations must ensure strong technical and physical access controls. These controls include password policies and multifactor authentication, encryption at rest and in transit, and antivirus software. Additionally, separate offline backup and separate storage systems halt hackers from having any access to PHI, even after a breach. Finally, strong email security keeps phishing emails (like those used to breach RCCA) from becoming an issue in the first place.
RELATED: Why healthcare providers should use HIPAA compliant email
Preparation and compliance are key to dodging breaches and violations on the federal and state level.