NJ Settles Charges Against Business Associate Responsible for Virtua Medical Patient Data Breach: Vendor Owner Pays $200,000 and is Barred From Owning or Managing Any Business in NJ Again
One question that occasionally pops up is how often businesses go out of business after or due to a data breach. My answer to that is “not often,” but we do it occasionally. In some cases, the breach may just have been a final straw for an already shaky business.
Yesterday, during a webinar with Protenus, I mentioned a case where the New Jersey Attorney General settled charges against Virtua Medical Group over a breach at their transcription vendor that impacted 1,650 patients. It was a breach that I have reported on in the past, and I mentioned it because it shows how even when OCR may not take enforcement action, states can take action.
In response to this breach, Virtua Medical had terminated its contract with Best Medical Transcription.
Today, there’s yet one more follow-up to this case, as it appears that the NJ Attorney General’s Office also filed charges against the transcription service itself. Stunningly, and in one of the most severe enforcement outcomes I have ever seen, the settlement bars the vendor owner from ever managing or owning a business in New Jersey.
Carly Q. Romalino reports:
The breach of more than 1,650 patients’ medical information will cost a defunct Georgia consulting company $200,000 and its rights to run a business in New Jersey.
ATA Consulting LLC, operating as Best Medical Transcription, settled allegations related to a 2016 security lapse that made public — through Google web searches — the medical records of 1,654 patients treated by Virtua Medical Group doctors, the New Jersey Attorney General’s Office said Friday.
Read more on Courier Post.
The state’s press release:
NEWARK – Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs today announced a $200,000 settlement with a now-defunct Georgia company responsible for a 2016 security lapse that allowed the public to view online patient records belonging to more than 1,650 individuals treated by doctors associated with Virtua Medical Group (“VMG”), a southern New Jersey network of medical and surgical practices.
The settlement with ATA Consulting LLC, which did business as Best Medical Transcription, and its owner, Tushar Mathur, resolves allegations that the company violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the New Jersey Consumer Fraud Act (“CFA”) in connection with a server misconfiguration that publically exposed the private health information – including the names and medical diagnoses – of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, Virtua Gynecological Oncology Specialists, and Virtua Pain and Spine Specialists in Voorhees.
In addition to civil penalties and reimbursement of attorneys’ fees and costs, the settlement with Best Medical Transcription permanently bars Mathur from managing or owning a business in New Jersey.
“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable.”
“Patient privacy laws don’t just apply to doctors, they also apply to vendors like Best Medical Transcription, which provided medical transcription services to Virtua Medical Group,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”
The server misconfiguration occurred in January 2016. All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in March 2016.
The security breach occurred when Best Medical Transcription, contracted to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.
After the FTP Site became unsecured, Internet searches using search terms containing any of the dictation information, such as patient names, doctors’ names or medical terms, would have been able to locate, access and download the exposed documents from the FTP Site, the Division investigation found.
On January 22, 2016, VMG received a phone call from a patient indicating that her daughter found portions of her medical records from Virtua Gynecological Oncology Specialists through a Google web search. The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.
In April 2018, VMG agreed to pay over $417,000 and improve its data security practices to settle allegations that it failed to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information (“ePHI”) it sent to Best Medical Transcription, and failed to implement security measures to reduce that risk, in violation of HIPAA.
As a result of its investigation, the State alleged the defendants engaged in violations of HIPAA’s Security Rule, Breach Notification Rule, and Privacy Rule with regard to the defendants’ role in the data breach, including:
- Failing to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held;
- Failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule;
- Failing to implement policies and procedures to protect ePHI from improper alteration or destruction;
- Failing to notify VMG of the breach of unsecured PHI; and
- Improperly using and/or disclosing ePHI in contravention of its obligations under its Business Associate Agreement with VMG.
The State further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and Best Medical Transcription’s violations of HIPAA’s Security Rule, Breach Notification Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the CFA.
As of June 2017, Best Medical Transcription has dissolved as a business, a process which it undertook independent of the State’s investigation. Pursuant to the Final Consent Judgment resolving the State’s allegations, Mr. Mathur agreed to no longer serve as an officer, director, trustee, member of an executive board or similar governing body, principal, manager or stockholder owning 10% or more of the aggregate outstanding capital stock of all classes of any corporation in New Jersey.
The defendants agreed to a $200,000 settlement amount, comprised of $191,492.00 in civil penalties and $8,508 in reimbursement of the State’s attorneys’ fees and investigative costs. Under the terms of the Final Consent Judgment, the defendants agreed to pay $30,508.00 of the settlement amount within 30 days of the effective date of the settlement. Based on the defendants’ agreement to the business practices and permanent injunctive relief, and their representations regarding their current financial condition, the State agreed to suspend the balance of the settlement, provided the defendants comply with the terms of the Final Consent Judgment.
Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.
Deputy Attorneys General of the Affirmative Civil Enforcement Practice Group Carla S. Pereira and Elliott M. Siebers represented the State in this matter.
The consent judgement can be found here.