In a recent Press Release dated December 15, 2021, the Office of the Attorney General for the State of New Jersey (the “N.J. Attorney General’s Office”) announced the settlement, via consent order, of alleged HIPAA violations involving three, New Jersey based cancer treatment providers, In the Matter of RCCA MSO LLC, Regional Cancer Care Associates LLC, and RCCA MD LLC. Two key takeaways from this matter are that New Jersey based health care providers need to be wary of state as well federal authorities when it comes to information security and related policies and warrant substantial investments in cyber security.

New Jersey Acts Alone

Generally, an array of federal agencies are primarily involved in enforcement regarding HIPAA violations. Civil penalties are typically administered by the U.S. Department of Health and Human Services Office for Civil Rights which can be up to $1.5 million in a calendar year depending on the scope and severity of the violations. The Federal Trade Commission has also been involved in investigating HIPAA violations and extracting consent decrees from violators. Lastly, the U.S. Department of Justice handles criminal HIPAA violations of 42 U.S.C. § 1320d-6.

The instant matter is notable in that the N.J. Attorney General’s Office handled the case on its own rather than the more typical scenario of state authorities “piggy backing” on a federal investigation or working parallel to same. In addition to HIPAA, the State cited to New Jersey’s Consumer Fraud Act which gave it the added leverage of potential treble damages. The end result was a substantial $425,000 penalty and a consent decree which imposed onerous and expensive information security requirements/steps on the entities at issue.

Existing Safeguards Were Not Sufficient to Avoid a Penalty

The consent decree sets out in detail the factual background of the breach, which was the result of a phishing attack that ultimately compromised a small number of the defendants’ employees. The breach exposed the personal and protected health information of 105,200 patients, including 80,333 New Jersey residents. There is no indication that the defendants failed to respond appropriately to the data breach once discovered, or that they did not undertake proper data breach notifications. Indeed, the defendants promptly hired outside counsel and a forensic investigation firm to identify the scope of the breach. There is also no indication from either the Press Release or consent order of any specific harm or financial loss incurred by defendants’ patients.

Further, this was not a case where the companies, prior to the phishing attack, ignored their obligations to protect sensitive patient information. The consent decree notes that, prior to the phishing attack, the defendants: 1) alerted its employees multiple times to be on guard against phishing attacks, 2) installed Barracuda Email Security Service to filter all emails, and 3) had retained an outside information technology service provider which conducted annual cybersecurity risk assessments and prepared work plans regarding same for the defendants.

Among other things, the N.J. Attorney General’s Office found that the risk assessments and work plans of the defendants’ consultant did not adequately address potential phishing attacks. It went ahead with the imposition of the $425,000 penalty and a decree which imposes onerous cyber security obligations on the defendants.

Implications of the State’s Actions

What is apparent from the instant matter is that the good faith of a defendant, the use of preventative measures, and a prompt response to a data breach, will not be enough to avoid a penalty imposed by New Jersey state authorities. Judging by the detailed measures set forth in the instant consent decree, only an updated, state-of-the-art cyber security program will be sufficient to potentially avoid state penalties. The fact that, at least in New Jersey, health care providers need to be wary of both state and federal authorities when it comes to HIPAA violations, makes substantial investments in cyber security, including related training and policies, more justifiable.

Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.