Breach, Regulation, Phishing

Regional Cancer Care to pay $425K to New Jersey over 2019 data breach, HIPAA violations

Andrew Buck, New Jersey's acting attorney general, addresses the New Jersey State League of Municipalities on Nov. 17, 2021. (New Jersey Office of Attorney General)

The New Jersey Division of Consumer Affairs reached a settlement with Regional Cancer Care Associates over a 2019 data breach that impacted 105,200 patients. The Hackensack-based provider organization agreed to pay $425,000 and to improve its privacy and security measures. 

RCCA has 30 locations in New Jersey, Connecticut, and Maryland. The $425,000 settlement includes $353,820 in penalties and $71,180 for attorneys’ fees and investigative costs.

Acting Attorney General Andrew J. Bruck launched an investigation into the provider following the breach to determine if RCCA violated the New Jersey Consumer Fraud Act and The Health Insurance Portability and Accountability Act.

In July 2019, RCCA notified patients of a targeted phishing attack that compromised several employee email accounts for nearly two months. Their investigation determined the attacker had access to the accounts and the information they stored.

The unauthorized access was not discovered until May 24.

The data was potentially acquired and involved a host of personal and health information, including patient names, date of birth, driver’s licenses, diagnoses, treatments, provider information, prescriptions, and health insurance details. For a smaller subset of patients, Social Security numbers, financial account numbers, and or payment card information was involved.

The breach itself was quite extensive, but RCCA faced another security issue during the course of notifying the breach victims: its third-party vendor improperly mailed notifications intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.

As a result, the family members of those cancer patients were informed of the patients’ health conditions without their consent.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” Bruck said in a statement.

“We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” he added. In fact, this is the third settlement tied to a previous healthcare data breach in the last three months.

Potential HIPAA, Consumer Fraud Act violations revealed by state investigation

The state’s investigation into potential regulatory violations revealed a number of details previously undisclosed about the incident.

In January 2019, RCCA began alerting its employees to an increase in phishing attacks directed to the RCCA network, with a subject that read: “Unusual High Phishing Activity - Be Alert!” The emails warned of phishing emails and how to spot them. A second email blast in April repeated previous warnings.

However, the state’s investigation found that neither email included “any process to verify that employees had received and reviewed them.”

“RCCA is unable to produce any other form of training to prevent unauthorized access through phishing attacks prior to the May Incident,” according to the report.

“Prior to the May Incident, in 2017, 2018, and 2019, Atlantic performed annual cybersecurity risk assessments and prepared work plans on RCCA’s behalf, but these assessments and work plans failed to conduct any analysis regarding the prevention of phishing attacks,” it added.

Further, the state’s investigation revealed the phishing email that led to the multiple account compromises instructed employees to click on a link to stop their Microsoft Office 365 account from being deactivated. They found that an employee clicked on the link and provided the attacker with their employee credentials.

The hacker used those credentials to log into the employee email account through the web portal, sending additional phishing emails from the compromised account to other employees that requested those workforce members complete a survey purportedly required by RCCA.

“To complete the survey, RCCA employees were required to provide the credentials for their RCCA email account,” according to the report. “Eleven RCCA employees provided their account credentials in response to the phishing attack, compromising 11 RCCA employee email accounts. RCCA also did not have multi-factor authentication implemented at the time."

Investigators found that an RCCA human resources payroll administrator also received email communications from two employee accounts, sent by the hacker in an attempt to change direct deposit banking information. The HR team notified the RCCA IT services vendor of the emails, as the requested changes did not follow RCCA payroll policies. 

The IT vendor launched an investigation following the HR interaction. It was their forensic analysis that discovered the phishing-related account compromises in May 2019.

The state’s investigation sought to assess a number of alleged HIPAA and Consumer Fraud Act violations, including failures to protect patient data and protect against reasonably anticipated security or integrity threats to patient data. RCCA was also accused of failing to conduct an accurate and thorough risk assessment of risks and vulnerabilities to patient data.

Investigators also claimed RCCA did not implement a security awareness and training program for all workforce members, nor did it put into place sufficient security measures to reduce overall risks and vulnerabilities.

RCCA denied all allegations, but has agreed to implement further privacy and security measures to improve measures to keep patient information secured.

The provider is required to implement and maintain an effective security program, which must include governance policies and procedures for the collection, use, and retention of patient data in compliance with both state and federal regulations. RCCA must also develop and implement a written incident response plan

RCCA will also deploy a cybersecurity operations center designed to prepare for, detect, analyze, and respond to security incidents. The provider is required to hire a Chief Information Security Officer and conduct an initial training for all new employees and annual training for existing employees.

The organization will also need an independent, third-party independent team to assess overall patient data policies and practices.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey, in a statement.

“Our investigation revealed RCCA failed to fully comply with HIPAA requirements,” he added. ”I’m pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

prestitial ad