Virtua Medical Data Breach Agrees €200,000 Settlement with Business Associate

by | Nov 8, 2018

A $200,000 settlement has been agreed with Best Medical Transcription in relation to HIPAA breaches that were discovered during an investigation of a 2016 breach of 1,650 clients’ protected health information.

Best Medical Transcription, a business associate of Virtua Medical Group, an organisation of medical and surgical practices in southern New Jersey. Best Medical Transcription was given dictated medical notes, letters, and reports which were copied for Virtua Medical Group physicians.

In January 2016, it was noticed that transcribed documents had been sent to the File Transfer Protocol (FTP) website that was accessible via the Internet without the requirement for authentication. The files had been indexed by Google Search Engines and could be seen using search terms including information included in the files. Password-protection had been deleted when software on the website was refreshed.

Overall, 1,654 patients had their protected health information impacted. Affected patients were alerted of the breach and Virtua Medical Group ended its business partnership with Best Medical Transcription. In 2017 Best Medical Transcription closed down.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs looked into the breach, and Virtua Medical Group was found responsible for failing to safeguard patients’ private data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA breaches and agreed to enhance its data protection measures.

While covered bodies can be held accountable for data breaches encountered by their business associates, vendors can also be fined directly for HIPAA breaches. New Jersey also submitted charges against ATA Consulting LLC, dba Best Medical Transcription, and the business owner, Tushar Mathur.

New Jersey claimed Best Medical Transcription had breached the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. It was alleged that Best Medical Transcription failed to carry out an accurate and thorough risk assessment of possible risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to put in place adequate safeguards to lessen dangers and weaknesses to a reasonable and appropriate level and policies and procedures had not been set to stop the improper alteration or destruction of ePHI. Best Medical Transcription also did not alert Virtua Medical Group regarding the breach and the improper disclosure of ePHI was a breach of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil financial penalty of $191,492 to resolve the HIPAA breaches and $8,508 to include attorneys’ fees and costs. Mathur has also been banned from managing or owning a business in New Jersey.

Attorney General Grewal said: “We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information. Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy