- Virtua Medical Group has agreed to pay a $418,000 fine and to beef up its data security in a settlement with the New Jersey government over allegations that it failed to protect patient data of more than 1,650 individuals, resulting in a HIPAA violation.
As a result of a vendor’s server misconfiguration, the names, medical diagnoses, and prescriptions of up to 1,654 Virtua patients were exposed on the internet, explained an April 4, 2018 joint announcement by New Jersey Attorney General Gurbir S. Grewal and the state Division of Consumer Affairs.
Virtua, a network of more than 50 South Jersey medical and surgical practices, first reported the incident in March 2016. The breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at Virtua, updated software on a website where the documents were stored.
During the update, the vendor misconfigured a password-protected file transfer protocol (FTP) server, allowing the site to be accessed without a password.
Anyone who searched Google using terms that were contained in the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP site, the state’s investigation found.
“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Grewal. “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
The state consumer protection agency charged that Virtua violated the HIPAA Security and Privacy Rules by:
• Failing to implement a security awareness and training program for all members of its workforce, including management
• Delaying identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome
• Failing to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) maintained on the site
• Improperly disclosing the protected health information of its patients
• Failing to maintain a written or electronic log of the number of times the site was accessed
In addition, the agency determined that the exposure of the information on the internet violated the New Jersey Consumer Fraud Act.
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Acting Director of the Division of Consumer Affairs Sharon M. Joyce. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
This is not the first time that a state attorney general has imposed fines for violations of the federal HIPAA statute. In fact, state attorneys general have had the authority to take HIPAA enforcement actions since the 2009 passage of the HITECH Act, which updated and extended HIPAA.
Last month, New York Attorney General Eric T. Schneiderman announced a $575,000 fine against EmblemHealth for a data breach that exposed more than 80,000 social security numbers of patients in violation of HIPAA.
In October 2016, EmblemHealth found that it had included Social Security numbers on mailing labels sent to policy holders, instead of a mailing identifier number. The Attorney General said that EmblemHealth had “failed to comply with many of the standards and procedural specifications as required by HIPAA.”
In addition to the fine, EmblemHealth has agreed to implement a corrective action plan, including a thorough risk analysis.
“The careless handling of social security numbers is never acceptable,” Schneiderman said. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data,” he concluded.