There’s a follow-up to a breach previously reported on this site in 2016 in which a transcription vendor’s error resulted in the exposure of some Virtua Medical Group’s patients’ protected health information on the internet. It appears that New Jersey has settled charges against VMG over the incident. Of note, the charges are that the VMG violated HIPAA, even though it was the vendor’s error.
NEWARK –Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs today announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians exclusively affiliated with more than 50 South Jersey medical and surgical practices, has agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.
VMG, a non-profit New Jersey captive Professional Association of Virtua Health Inc. headquartered in Marlton, agreed to the settlement terms after the Division’s investigation concluded that VMG’s failure to comply with federal healthcare data security standards publically exposed the medical information – including patient names, medical diagnoses and prescriptions – of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.
The server misconfiguration occurred in January 2016. All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in early March 2016.
The Division alleged that VMG’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information (“ePHI”) it sent to a third-party vendor, and its failure to implement security measures to reduce that risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.
“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir S. Grewal. “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
The VMG privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.
After the FTP Site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP Site, the Division investigation found.
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
The Division’s investigation found that even after Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP Site, and restored the password protection on January 15, Google retained cached indexes of the files which remained publically accessible on the internet.
On January 22, VMG received a phone call from a patient indicating that her daughter had found portions of her medical records from Virtua Gynecological Oncology Specialists on Google. The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.
Upon completing an internal investigation into the matter on February 4, VMG contacted the New Jersey State Police and the FBI to report the security incident. That same day VMG placed a request to remove the entire FTP Site from Google’s cache. Additionally, VMG went to each of the 462 VMG patient records it had found and identified on Google and, over a period of many hours, successfully removed them, one at a time, from Google.
The Division alleges that VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:
- Failing to implement a security awareness and training program for all members of its workforce, including management.
- Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
- Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP Site.
- Improperly disclosing the protected health information (“PHI”) of its patients.
- Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.
The Division further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and VMG’s violations of HIPAA’s Security Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the New Jersey Consumer Fraud Act.
In settling the Division’s investigation, VMG agreed to implement a Corrective Action Plan that that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission and receipt of ePHI in VMG buildings, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years. VMG also agreed to pay a $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the Division’s attorneys’ fees and investigative costs.
Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.
Deputy Attorneys General Russell M. Smith, Jr. and Carla S. Pereira represented the State of New Jersey in this matter.
Related: Order.
Interesting.
So.. OCR didn’t fine them? Instead the NJ Division of Consumer Affairs did?
I wonder why?
My understanding – which could be very faulty – is that HIPAA doesn’t require CEs to actually monitor/audit their BAs. So on what basis could OCR have fined the entity?
OCR could still fine them for the exact same things the NJ DCA fined them: the same violations of HIPAA. The division didn’t fine them for failing to monitor/audit the BA, but for bad risk analysis, delayed response, lack of mitigation, etc.
HIPAA does not require CEs to actively monitor BAs (nor does the NJ DCA as far as I know), but it does require CAs to sever ties with BAs that the CE know OR SHOULD HAVE KNOWN did not protect data or violated HIPAA. Some interpret that as a requirement for fairly active monitoring/reviewing, but that’s not a specific requirement.
So, yes, CEs are not actually required to monitor or audit BAs.
Thanks so much for explaining that. It would be nice if this case suddenly made CEs more active or proactive with respect to BAs.