The New Jersey Attorney General and the Division of Consumer Affairs have announced a settlement has been agreed with three New Jersey healthcare providers to revolve an investigation into two data breaches that affected 105,200 individuals, including 80,333 New Jersey residents.
The breaches occurred in 2019, the first was the result of a phishing attack and the second was a mailing error that occurred when sending notification letters about the phishing attack. Between April 2019 and June 2019, several employee email accounts were compromised when employees responded to targeted phishing emails and disclosed their credentials. The attackers accessed the email accounts, which contained highly sensitive patient data such as Social Security numbers, driver’s license numbers, healthcare data, and financial information.
In July 2019, a third-party vendor sent notification letters to the next-of-kin of 13,047 patients advising them about the breach, when the letters should have been sent to the affected patients. Those notification letters informed patients’ next-of-kin about their relatives’ illnesses, including cancer diagnoses, without the patients’ consent.
The New Jersey Division of Consumer Affairs investigated the breaches and discovered multiple HIPAA compliance violations and the New Jersey Consumer Fraud Act, both of which require companies to implement safeguards to ensure the confidentiality of sensitive data and to identify and protect against potential threats.
The alleged violations of HIPAA and the Consumer Fraud Act are:
- Failure to ensure the confidentiality, integrity, and availability of patient data
- Failure to protect against reasonably anticipated threats or hazards to the security or integrity of patient data
- Failure to conduct an accurate and thorough risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of patient data
- Failure to implement a security awareness and training program for all members of its workforce
- Failure to put in place security measures sufficient to reduce risks and vulnerabilities.
The companies did not agree with the findings of the investigation but agreed to settle the case and pay a $425,000 financial penalty. Additional measures will be implemented to improve protections to prevent further data breaches. Those measures include implementing and maintaining a comprehensive information security program, implementing and maintaining a written incident response plan, implementing and maintaining a cybersecurity operations center, implementing a security awareness and training program, and employing a Chief Information Security Officer (CISO). A third-party independent professional must also be engaged to assess policies and practices covering the collection, storage, maintenance, transmission, and disposal of patient data.
This is the third settlement to resolve HIPAA and Consumer Fraud Act violations to be announced in the past three months. In October, a $495,000 settlement was agreed with a fertility clinic and two printing companies were fined $130,000 in November following investigations into breaches of the personal and protected health information of New Jersey residents.