By: Cristina N. Hyde, JD
Last December, the New Jersey health care community received a sobering reminder of the importance of the proper handling of protected health care information. After being accused of compromising patient data, a large cancer treatment provider settled with the Division of Consumer Affairs (DCA); admitting no fault but agreeing to pay $425,000 and to adopt stronger measures to secure personal information, and protected healthcare information (PHI).
In its December 15, 2021, press release, the DCA explained that the investigation is the third in a series of recent cases intended to hold companies accountable who fail to properly protect PHI from cyberthreats. The matter included specific allegations related to the New Jersey Consumer Fraud Act, the New Jersey Identity Theft Prevention Act, and the Health Insurance Portability and Accountability Act (HIPAA) in connection with the allegedly improper handling of, and inadequate security measures implemented to secure PHI. The investigation revealed that, having fallen victim to a targeted phishing scam, the provider unintentionally exposed the protected health information of 105,200 consumers, including 80,333 New Jersey residents. Thereafter, while attempting to notify clients of that breach, the third-party vendor that was hired to mail notification letters to affected clients accidentally released the private medical information of the intended recipients to their family members, without consent.
Despite arguments that the provider had made good faith effort to implement safeguards that protect PHI as well as procedures to identify and respond to potential threats, the DHA still concluded that the provider had failed to take important meaningful steps towards safeguarding PHI such as implementing security awareness and training programs for all of the members of its workforce and conducting accurate and thorough risk assessments. Therefore, the settlement included specific recommendations of increased security measures that the provider should implement in order to uphold its duty to protect PHI under both state and federal law.
In light of this settlement, and the DHA’s clear intent to hold all providers accountable for inadequate cyber security, providers should ensure they are using the best and most up-to-date measures to protect their clients’ PHI.
Recognizing the importance of patent privacy, Campanella Law Office offers a complimentary on-line HIPAA risk assessment through its strategic partner, The Garlick Group, as well as a package of services to ensure compliance with both the Privacy Rule and the Security Rule. If you would like assistance reviewing your compliance procedures or have any questions or concerns related to the protection of protected health information, Contact Us.