Virtua Medical Group Vendor Error Puts Patient Data in Search Engines

Virtua Medical Group has notified 1,654 patients that some of their protected health information had been accidentally indexed by search engines and was accessible over the Internet.

An error was made by a transcription vendor during a server upgrade that resulted in patients’ names, birthdates, physicians’ names, and treatment information being indexed by search engines for up to three weeks. The server error occurred in early January and the error was identified on January 21, 2016. No financial data, insurance information, or Social Security numbers were exposed.

Upon discovery of the error, Virtua Medical Group contacted its vendor to secure the data and efforts were made to remove the records from the search engines. The information is no longer accessible. It is unclear whether data were accessed by unauthorized individuals during the period they were accessible, although no reports of inappropriate data use have been reported. As a result of the breach of patient data, Virtua Medical Group has terminated its relationship with the transcription vendor.

According to a substitute breach notice placed on the Virtua Medical Group website, the breach did not impact all patients, only certain individuals that visited Medford Surgical Services, Virtua Gynecologic Oncology Specialists, and Virtua Pain and Spine for treatment between 2011 and January 2016.

Business associates of covered entities can be fined directly by the Department of Health and Human Services’ Office for Civil Rights for the inappropriate disclosure of protected health information. However, as was recently made clear with the $1.55 million settlement between OCR and North Memorial Health Care of Minnesota, the lack of a signed, compliant business associate agreement (BAA) can see a fine issued to the covered entity rather than the business associate.

It is the responsibility of each covered entity to ensure that all vendors sign a BAA and are made aware of their responsibilities to keep PHI secure before access to data is provided. If a compliant BAA is not in place, it will be the covered entities that is liable to pay a civil monetary penalty for an accidental disclosure of PHI, even if that disclosure was entirely the fault of the business associate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.