Hackensack Cancer Center Settles HIPAA Violations With New Jersey Attorney General

In December of 2021, the New Jersey Attorney General’s Division of Consumer Affairs, Office of Consumer Protection, settled a HIPAA enforcement action that it brought against Regional Cancer Care Associates (RCCA). RCCA is based in Hackensack, New Jersey, and has over 30 locations throughout New Jersey, Connecticut, Maryland, and the Washington DC area. RCCA treats cancer patients as well as patients with blood disorders. RCCA fell victim to a phishing attack in 2019. Hackers gained access to RCCA’s network, resulting in a data breach affecting the ePHI of over 100,000 individuals. Compounding matters, RCCA addressed individual breach notification letters in the salutation line not to the affected victims, but to their prospective next-of-kin. The New Jersey Attorney General’s Office concluded that RCCA committed multiple violations of the HIPAA Security Rule, and recently settled the enforcement action for $425,000. Details about the Hackensack HIPAA Horror Show are set forth below.

Hackensack HIPAA Violations: A Failure to Communicate

Three months later, RCCA again emailed its employees, again to warn about the high volume of phishing emails. This time, employees were told that RCCA would implement Barracuda Email Security Service (Barracuda) to filter all emails.

RCCA installed Barracuda technology on all RCCA email accounts shortly after sending the April email. Shortly after the installation, though, an unauthorized actor accessed an RCCA email account through a phishing attack. The initial phishing email instructed employees to click on a link to cancel a claimed Microsoft Office 365 account deactivation. One RCCA employee clicked on the link, and then provided the unauthorized actor with the credentials to their email account. Not wasting any time, the unauthorized actor logged onto the compromised employee’s account and sent additional phishing emails from that account to other RCCA employees. In one of these emails, the fraudster requested that RCCA employees complete a survey “required by RCCA’s CEO.” Curiously, the survey required participants to provide their email account logins and passwords. Eleven employees took the bait and provided the information.

In May of 2019, RCCA received a communication claiming to be from employees; in these communications, the “employees” “requested” change to their direct deposit account information. The requested changes went against the company’s payroll policies, so RCCA commenced an investigation to determine if the emails were authentic. Soon enough, RCCA discovered that the suspicious emails came from internal compromised RCCA employee email accounts. A follow-up investigation discovered that 12 email accounts had been compromised through a targeted phishing scheme. Through accessing the 12 accounts, the unauthorized actor was able to access the ePHI of 105,200 individuals. The ePHI included information regarding patient appointments, billing, testing results, and insurance matters. 

As of the time the unauthorized access took place, RCCA had not performed any security risk analyses regarding prevention of phishing attacks; had not trained employees on how to prevent unauthorized access through phishing; and had not implemented multi-factor authentication (MFA). Nor, at the time of the attack, did RCCA utilize a security information and event management program (SIEM). SIEM solutions collect logs and analyze security events along with other data to accelerate threat detection, thereby allowing security teams to respond to security incidents and data breaches in the early stages.

RCCA HIPAA Violations: Right Address, Wrong Person

As required by the HIPAA breach notification rule, RCCA mailed notification letters to affected individuals in July of 2019. Shortly after the mailing, RCCA learned that 13,047 mailings were mailed to the right address, but sent to the wrong person. Embarrassingly, the notification letters addressed not the very-much-living patients affected by the breach, but rather their prospective next-of-kin. The letters disclosed sensitive information to patients’ relatives, including diagnoses of cancer. Under HIPAA, written notification to next of kin is permitted – when a provider knows that the affected individual is deceased, that is.

New Jersey Attorney General Concludes RCCA Committed Multiple HIPAA Violations

Upon investigation of the breach and the failure to provide breach notification salutations to the correct people, the New Jersey Attorney General’s Office concluded that Hackensack pulled off a hat trick – violating the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. One incident, three resulting HIPAA violations. The Security Rule violations consist of failure to ensure the confidentiality, integrity, and availability of ePHI of the individuals affected by the breach, as well as the individuals who received the next-of-kin notices. The Attorney General also concluded that RCCA failed to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI – by failing to conduct a security risk assessment and risk management; failing to implement a security awareness and training program; failing to implement procedures to regularly review records of information system activity such as audit logs and access reports; and, for good measure, failing to implement authentication measures and failing to implement mechanisms to ensure that ePHI has not been altered or destroyed in an unauthorized manner.  

The Attorney General added one more item to the tally of HIPAA violations, concluding that the delivery of the next-of-kin salutations violated the Breach Notification Rule. The Attorney General proposed a settlement, which RCCA accepted. Under the terms of the settlement, RCCA must pay the Attorney General’s Office $425,000. $353,820 of this amount constitutes penalties. The remaining $71,180 constitutes attorneys’ fees and costs of investigation – meaning RCCA had to bankroll its own punishment. 

New Jersey Attorney General Concludes HIPAA Violations Require Extensive Monitoring

As part of the settlement of the HIPAA violations, RCCA has also agreed to implement a comprehensive information security program. As part of the program, RCCA must:

• Implement and maintain a written incident response plan;
• Create a cybersecurity operations center, to monitor servers and identify improper data use;
• Develop, implement and maintain policies and procedures governing collection, use and retention of ePHI;
• Designate a Chief Information Security Officer (CISO), to regularly and directly report to RCCA’s CEO and Board of Directors about security posture, security risks, and the security implications of business decisions;
• Log and monitor the RCCA network in accordance with HIPAA, by using a SIEM or reasonably equivalent technology;
• Maintain email filtering and phishing solutions for all email accounts;
• Implement and maintain access controls to ensure that only authorized employees can access the RCCA network;
• Implement policies requiring the use of authentication measures, including, as appropriate, multi-factor authentication;
• Develop, maintain, and regularly update an inventory of the assets and devices that comprise the RCCA network;
• Develop, implement and maintain a risk assessment program;
• Develop, implement and maintain data loss prevention technology to detect and prevent unauthorized data exfiltration from the RCCA network; and
• Train new and existing employees on information privacy and security policies.

This settlement comes on the heels of a November, 2019 Attorney General HIPAA settlement with two printing companies. All of this enforcement activity has earned New Jersey the 2021 crown for most active state HIPAA enforcer.