HACKENSACK-BASED CANCER CARE PROVIDERS FINED OVER DATA SECURITY BREACHES

Three Hackensack-based cancer care providers will pay the state $425,000 to settle allegations they exposed the personal health and financial information of more than 105,000 customers during a pair of data security breaches in 2019, the New Jersey Attorney General's Office announced Wednesday.

Regional Cancer Care Associates, the umbrella name for three companies that run more than 30 locations in New Jersey, Connecticut and Maryland, will also adopt new privacy and security measures to further protect consumers' information, according to a statement from acting Attorney General Andrew Bruck.

"New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats," Bruck said. "We require health care providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short."

The first data breach happened between April and June of 2019, when a targeted phishing scheme compromised several employee email accounts and allowed scammers unauthorized access to patient data stored on those accounts, Bruck said.

The breach exposed driver's license numbers, health records, Social Security numbers and financial account and payment card information, the statement said.

In July, Regional Care was trying to notify clients of the initial breach when a third-party vendor improperly mailed notification letters intended for 13,047 living patients to their next of kin instead.

This told the family members about their relatives' illnesses without their consent, Bruck said.

The state said the company violated New Jersey's Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act, or HIPAA, because it failed to protect its clients' data, conduct accurate and thorough risk assessments, implement a security awareness training program for its workers and install the security measures to cut risk and vulnerabilities, among other things.

More than 80,000 New Jerseyans' information was revealed during the two incidents, Bruck said.

Regional Care disputes the allegations, the statement said. The company did not respond to a request for comment Wednesday.

Still, it has agreed to new privacy and security measures that the state said will improve protection of consumers' information.

This includes maintaining an information security program that governs the collection, use and retention of patient data; developing a written incident response plan and cybersecurity operations center to respond to threats; hiring a chief information security officer; training new and existing employees in privacy and security policies; and contracting a third-party professional to assess its practices and policies for collecting, storing, maintaining and disposing of patient data, the statement said.

The company paid nearly $354,000 in fines, Bruck said. The other $71,000 covered attorneys' fees and investigative costs.

This is the third settlement the state's Division of Consumer Affairs has reached with private companies in recent months, the acting attorney general said.

In October, his office announced a settlement that required a fertility clinic to expand its data security measures and pay the state $495,000.

In November, the division reached a $130,000 settlement with two printing companies that worked with a leading managed health care organization.

Email: [email protected]

Twitter: @stevejanoski