Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law
Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.
The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.
Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.
The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.
Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.
The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.
When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search. The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.
At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.
An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.
The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.
A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.
Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.
In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.