25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Virtua Medical Group Vendor Error Puts Patient Data in Search Engines

Posted By on Mar 21, 2016

Virtua Medical Group has notified 1,654 patients that some of their protected health information had been accidentally indexed by search engines and was accessible over the Internet.

An error was made by a transcription vendor during a server upgrade that resulted in patients’ names, birthdates, physicians’ names, and treatment information being indexed by search engines for up to three weeks. The server error occurred in early January and the error was identified on January 21, 2016. No financial data, insurance information, or Social Security numbers were exposed.

Upon discovery of the error, Virtua Medical Group contacted its vendor to secure the data and efforts were made to remove the records from the search engines. The information is no longer accessible. It is unclear whether data were accessed by unauthorized individuals during the period they were accessible, although no reports of inappropriate data use have been reported. As a result of the breach of patient data, Virtua Medical Group has terminated its relationship with the transcription vendor.

According to a substitute breach notice placed on the Virtua Medical Group website, the breach did not impact all patients, only certain individuals that visited Medford Surgical Services, Virtua Gynecologic Oncology Specialists, and Virtua Pain and Spine for treatment between 2011 and January 2016.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Business associates of covered entities can be fined directly by the Department of Health and Human Services’ Office for Civil Rights for the inappropriate disclosure of protected health information. However, as was recently made clear with the $1.55 million settlement between OCR and North Memorial Health Care of Minnesota, the lack of a signed, compliant business associate agreement (BAA) can see a fine issued to the covered entity rather than the business associate.

It is the responsibility of each covered entity to ensure that all vendors sign a BAA and are made aware of their responsibilities to keep PHI secure before access to data is provided. If a compliant BAA is not in place, it will be the covered entities that is liable to pay a civil monetary penalty for an accidental disclosure of PHI, even if that disclosure was entirely the fault of the business associate.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist