A $200,000 settlement has been agreed with Best Medical Transcription in relation to HIPAA breaches that were discovered during an investigation of a 2016 breach of 1,650 clients’ protected health information.
Best Medical Transcription, a business associate of Virtua Medical Group, an organisation of medical and surgical practices in southern New Jersey. Best Medical Transcription was given dictated medical notes, letters, and reports which were copied for Virtua Medical Group physicians.
In January 2016, it was noticed that transcribed documents had been sent to the File Transfer Protocol (FTP) website that was accessible via the Internet without the requirement for authentication. The files had been indexed by Google Search Engines and could be seen using search terms including information included in the files. Password-protection had been deleted when software on the website was refreshed.
Overall, 1,654 patients had their protected health information impacted. Affected patients were alerted of the breach and Virtua Medical Group ended its business partnership with Best Medical Transcription. In 2017 Best Medical Transcription closed down.
The New Jersey attorney general and the New Jersey Division of Consumer Affairs looked into the breach, and Virtua Medical Group was found responsible for failing to safeguard patients’ private data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA breaches and agreed to enhance its data protection measures.
While covered bodies can be held accountable for data breaches encountered by their business associates, vendors can also be fined directly for HIPAA breaches. New Jersey also submitted charges against ATA Consulting LLC, dba Best Medical Transcription, and the business owner, Tushar Mathur.
New Jersey claimed Best Medical Transcription had breached the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. It was alleged that Best Medical Transcription failed to carry out an accurate and thorough risk assessment of possible risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to put in place adequate safeguards to lessen dangers and weaknesses to a reasonable and appropriate level and policies and procedures had not been set to stop the improper alteration or destruction of ePHI. Best Medical Transcription also did not alert Virtua Medical Group regarding the breach and the improper disclosure of ePHI was a breach of its business associate agreement with Virtua Medical Group.
Tushar Mathur agreed to pay New Jersey a civil financial penalty of $191,492 to resolve the HIPAA breaches and $8,508 to include attorneys’ fees and costs. Mathur has also been banned from managing or owning a business in New Jersey.
Attorney General Grewal said: “We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information. Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”