NJ cancer care providers settle for 2 data breaches, will increase security
After exposing the personal and protected health information of tens of thousands of New Jersey residents, three providers of cancer care in the Garden State have agreed to put out $425,000 and adopt additional safeguards to protect personal information in the future.
Acting Attorney General Andrew Bruck announced the settlement with Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LCC ("RCCA" collectively) on Wednesday.
Two data breaches impacted 105,200 consumers, including 80,333 New Jersey residents, Bruck's office said.
"New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats," Bruck said. "We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short."
According to officials, the first data breach involving RCCA occurred in the spring of 2019, when employee email accounts were compromised through a phishing scheme, giving hackers access to patient data. Then, in July 2019, according to officials, RCCA improperly disclosed patient data when a third-party vendor incorrectly sent mailers to patients' prospective next-of-kin. As a result, family members of cancer patients were informed of their relatives' illnesses without their consent.
The settlement includes $353,820 of penalties and $71,180 in attorneys' fees and investigative costs.
Headquartered in Hackensack, RCCA has 30 locations throughout New Jersey, Connecticut and Maryland.
Contact reporter Dino Flammia at firstname.lastname@example.org.