$418,000 Fine for Virtua Medical Group for Violations of HIPAA and New Jersey Law

A network of physicians linked to more over that 50 medical practices in New Jersey, Virtua Medical Group, has been hit with a massive financial penalty by the New Jersey Attorney General’s Office for failing to safeguard the privacy of over 1,650 patients whose medical data could be viewed online without authentication requirements.

The electronic protected health information was accessible due to an improperly configured server. The mistake happened at a business associate of the medical organization – Best Medical Transcription – which had been suppliedd with audio files to transcribe medical notes.

Best Medical Transcription was hired to transcribe dictations of medical notes, reports, and correspondence from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were published on a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was removed by mistake permitting patient data to be accessed by anyone without the need for adequate authentication.

Additionally, the content of the FTP server was indexed by search engines and could be found by typing in search reference terms included in the notes. For instance, typing in a patient’s name would allow the data to be found, which happened at least once. A patient located portions of her medical records online after carrying out a Google search.

The types of data exposed included names, medical prognoses, and medication details of as many as 1,654 patients who had previously received medical services at one of the three medical clinics.

When the privacy breach was identified, Best Medical Transcription re-enabled the password protection on the FTP server, although caches of the data remained accessible online and could still be obtained by performing a Google search.  The password was reinstated on January 15, 2016, although a week following this, Virtua Medical Group were contacted by a patient whose daughter’s medical records were still accessible on the Internet.

At this time, while Best Medical Transcription was concious of the lack of password and a possible breach, it had not alerted Virtua Medical Group that data had been placed at risk. The review by Virtua Medical Group showed that 462 patients’ records had been indexed by the search engines. Virtua Medical Group filed individual requests to Google to have the data deleted and patients were made aware of the breach in March.

A review into the breach by the New Jersey Division of Consumer Affairs showed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach impacted a business associate of Virtua Medical Group, it was the medical group that was financially penalized.

The Division of Consumer Affairs claimed there had been a failure to complete a comprehensive risk analysis to find threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been put in place to minimize risk.

A staff security awareness and training program had not been given for the entire workforce, there were unacceptable delays in finding and reacting to the breach, no processes had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an iunacceptable disclosure of pindividuals’ ePHI.

Those mistakes and oversights constituted breaches of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

Along with the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation expenses, Virtua Medical Group has agreed to adapt a robust corrective action plan which includes contracting a third-party security professional to carry out a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to complete further risk assessments every two years.