NJ: Virtua Medical Group notifies 1,654 patients whose information was exposed on Internet (updated)
On March 11, Burlington County Times reported:
Virtua Medical Group, the network of doctors exclusively affiliated with the South Jersey health system, reported Friday that patient information — including names and treatments over a five-year period — was accidentally released and viewable on the Internet in January.
The medical group learned on Jan. 21 that earlier in the month “certain patient information from three practices … had become viewable on the Internet by using a search engine,” according to the notice.
A subscription is required to access the full article, and Virtua Medical Group does not appear to have a copy of their notice readily locatable on their web site. Their report to HHS, though, indicates that 1,654 patients were impacted.
Virtua has not yet responded to an email inquiry sent to them earlier today. This post will be updated when more information becomes available.
Updated 3-21-16: Virtua kindly sent me a copy of their notice, which was, it seems, posted on their web site the same day:
Virtua Notifies Patients of Transcription Record Incident
Virtua Medical Group (VMG) announced today that in early January 2016, one of its transcription vendors unintentionally caused certain patient transcription records to become viewable on the internet if searched with a search engine. Each year, VMG creates patient records for each of its 750,000 patient visits, and this incident involved considerably less than 1% of those visits. Only certain patients treated from 2011 to January, 2016 at Virtua Gynecologic Oncology Specialists, Medford Surgical Services, and Virtua Pain and Spine were affected.
VMG first learned of this incident on January 21, 2016, and immediately began a thorough internal investigation. VMG determined that the transcription vendor had a server that had been unintentionally misconfigured during an upgrade, allowing the transcription documents to be viewable by using a search engine on the internet. VMG immediately had the vendor remove the patient information from the server, and VMG confirmed that patient information was no longer viewable. VMG also took action to have the records removed from search engines.
There is no indication that any patient information was used in any way and the transcription record did not contain social security numbers, financial information or addresses. However, VMG sent letters to patients on March 11, 2016, and established a dedicated call center to support patients and answer their questions. To help prevent an incident like this from happening in the future, VMG has ceased doing business with the transcription vendor. More information is posted on the Virtua website: https://www.virtua.org/news/notice-to-patients-of-transcription-records-incident.