In a recent Press Release dated December 15, 2021, the Office of the Attorney General for the State of New Jersey (the “N.J. Attorney General’s Office”) announced the settlement, via consent order, of alleged HIPAA violations involving three, New Jersey based cancer treatment providers, In the Matter of RCCA MSO LLC, Regional Cancer Care Associates LLC, and RCCA MD LLC. Two key takeaways from this matter are that New Jersey based health care providers need to be wary of state as well federal authorities when it comes to information security and related policies and warrant substantial investments in cyber security.
New Jersey Acts Alone
Generally, an array of federal agencies are primarily involved in enforcement regarding HIPAA violations. Civil penalties are typically administered by the U.S. Department of Health and Human Services Office for Civil Rights which can be up to $1.5 million in a calendar year depending on the scope and severity of the violations. The Federal Trade Commission has also been involved in investigating HIPAA violations and extracting consent decrees from violators. Lastly, the U.S. Department of Justice handles criminal HIPAA violations of 42 U.S.C. § 1320d-6.
The instant matter is notable in that the N.J. Attorney General’s Office handled the case on its own rather than the more typical scenario of state authorities “piggy backing” on a federal investigation or working parallel to same. In addition to HIPAA, the State cited to New Jersey’s Consumer Fraud Act which gave it the added leverage of potential treble damages. The end result was a substantial $425,000 penalty and a consent decree which imposed onerous and expensive information security requirements/steps on the entities at issue.
Existing Safeguards Were Not Sufficient to Avoid a Penalty
The consent decree sets out in detail the factual background of the breach, which was the result of a phishing attack that ultimately compromised a small number of the defendants’ employees. The breach exposed the personal and protected health information of 105,200 patients, including 80,333 New Jersey residents. There is no indication that the defendants failed to respond appropriately to the data breach once discovered, or that they did not undertake proper data breach notifications. Indeed, the defendants promptly hired outside counsel and a forensic investigation firm to identify the scope of the breach. There is also no indication from either the Press Release or consent order of any specific harm or financial loss incurred by defendants’ patients.
Further, this was not a case where the companies, prior to the phishing attack, ignored their obligations to protect sensitive patient information. The consent decree notes that, prior to the phishing attack, the defendants: 1) alerted its employees multiple times to be on guard against phishing attacks, 2) installed Barracuda Email Security Service to filter all emails, and 3) had retained an outside information technology service provider which conducted annual cybersecurity risk assessments and prepared work plans regarding same for the defendants.
Among other things, the N.J. Attorney General’s Office found that the risk assessments and work plans of the defendants’ consultant did not adequately address potential phishing attacks. It went ahead with the imposition of the $425,000 penalty and a decree which imposes onerous cyber security obligations on the defendants.
Implications of the State’s Actions
What is apparent from the instant matter is that the good faith of a defendant, the use of preventative measures, and a prompt response to a data breach, will not be enough to avoid a penalty imposed by New Jersey state authorities. Judging by the detailed measures set forth in the instant consent decree, only an updated, state-of-the-art cyber security program will be sufficient to potentially avoid state penalties. The fact that, at least in New Jersey, health care providers need to be wary of both state and federal authorities when it comes to HIPAA violations, makes substantial investments in cyber security, including related training and policies, more justifiable.