New Jersey Cancer Care Providers Settle Data Breach Claim
A trio of healthcare providers in New Jersey has agreed to pay $425,000 and adopt new security measures to settle a legal claim involving a double data breach.
The state of New Jersey alleged that Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively "RCCA") failed to adequately safeguard the personal data and protected health information (PHI) of thousands of cancer patients.
More than 105,200 patients (including 80,333 New Jersey residents) were affected by two data breaches, both of which occurred in 2019.
In the first incident, patient data was exposed when several RCCA employee email accounts were compromised in a phishing attack carried out between April and June. Sensitive data accessed in the attack included health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers.
The second data breach occurred in July, when a third-party vendor, hired by RCCA to mail out data breach notification letters to patients impacted by the incident, erroneously sent letters to patients' prospective next-of-kin.
Under the Health Insurance Portability and Accountability Act (HIPAA), notification of a data breach to a victim’s next-of-kin is allowed only in cases where the