In December of 2021, the New Jersey Attorney General’s Division of Consumer Affairs, Office of Consumer Protection, settled a HIPAA enforcement action that it brought against Regional Cancer Care Associates (RCCA). RCCA is based in Hackensack, New Jersey, and has over 30 locations throughout New Jersey, Connecticut, Maryland, and the Washington DC area. RCCA treats cancer patients as well as patients with blood disorders. RCCA fell victim to a phishing attack in 2019. Hackers gained access to RCCA’s network, resulting in a data breach affecting the ePHI of over 100,000 individuals. Compounding matters, RCCA addressed individual breach notification letters in the salutation line not to the affected victims, but to their prospective next-of-kin. The New Jersey Attorney General’s Office concluded that RCCA committed multiple violations of the HIPAA Security Rule, and recently settled the enforcement action for $425,000. Details about the Hackensack HIPAA Horror Show are set forth below.

Hackensack HIPAA Violations: A Failure to Communicate

Hackensack HIPAA Violation Settlement

In early 2019, RCCA began alerting its employees to an increase in phishing attacks directed at the RCCA network. In January, RCCA sent employees an email with the unsubtle title, “Unusual [sic] High Phishing Activity – Be Alert!”. The email warned RCCA employees to be alert to phishing emails, by describing how to spot these messages. 

Three months later, RCCA again emailed its employees, again to warn about the high volume of phishing emails. This time, employees were told that RCCA would implement Barracuda Email Security Service (Barracuda) to filter all emails.

RCCA installed Barracuda technology on all RCCA email accounts shortly after sending the April email. Shortly after the installation, though, an unauthorized actor accessed an RCCA email account through a phishing attack. The initial phishing email instructed employees to click on a link to cancel a claimed Microsoft Office 365 account deactivation. One RCCA employee clicked on the link, and then provided the unauthorized actor with the credentials to their email account. Not wasting any time, the unauthorized actor logged onto the compromised employee’s account and sent additional phishing emails from that account to other RCCA employees. In one of these emails, the fraudster requested that RCCA employees complete a survey “required by RCCA’s CEO.” Curiously, the survey required participants to provide their email account logins and passwords. Eleven employees took the bait and provided the information.

In May of 2019, RCCA received a communication claiming to be from employees; in these communications, the “employees” “requested” change to their direct deposit account information. The requested changes went against the company’s payroll policies, so RCCA commenced an investigation to determine if the emails were authentic. Soon enough, RCCA discovered that the suspicious emails came from internal compromised RCCA employee email accounts. A follow-up investigation discovered that 12 email accounts had been compromised through a targeted phishing scheme. Through accessing the 12 accounts, the unauthorized actor was able to access the ePHI of 105,200 individuals. The ePHI included information regarding patient appointments, billing, testing results, and insurance matters. 

As of the time the unauthorized access took place, RCCA had not performed any security risk analyses regarding prevention of phishing attacks; had not trained employees on how to prevent unauthorized access through phishing; and had not implemented multi-factor authentication (MFA). Nor, at the time of the attack, did RCCA utilize a security information and event management program (SIEM). SIEM solutions collect logs and analyze security events along with other data to accelerate threat detection, thereby allowing security teams to respond to security incidents and data breaches in the early stages.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance