New Jersey AG fines Virtua Medical Group $418K for HIPAA violations tied to vendor oversight

A network of more than 50 medical practices in New Jersey has agreed to pay more than $418,000 to resolve an investigation by the state attorney general after it was discovered patient records were leaked online by a transcription vendor.

Virtua Medical Group agreed to the settlement after state investigators found the medical group failed to implement the proper security protections, which exposed the medical records of more than 1,600 patients online.

Although the leak was traced back to a misconfigured server overseen by a third-party business associate, the New Jersey Attorney General’s Office said it was Virtua’s responsibility to ensure patient data remained protected.

RELATED: Data breaches are drawing more scrutiny from both federal and state regulators

“This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough,” Sharon M. Joyce, acting director of the Division of Consumer Affairs said in a statement. “You must fully vet your vendors for their security as well.”

The settlement comes on the heels of a report released by the law firm Baker Hostetler, which assists providers with cybersecurity investigations, that found data breach inquiries by state attorneys general have nearly doubled over the last year, and investigators are digging deeper into an organization’s security practices.

The Virtua breach occurred in January 2016 when transcription services vendor Best Medical Transcription updated the software associated with a File Transfer Protocol (FTP) website which inadvertently reconfigured the server to allow access without a password so patient records were searchable via Google. Even after Best Medical fixed the misconfiguration shortly after it was discovered, cached indexes of the records remained accessible on Google.

But the company never notified Virtua. Instead, the medical practice found out about the breach after a patient’s mother called to report she found portions of her daughter’s medical record online. Two weeks later, Virtua notified law enforcement and individually removed each patient’s information from Google’s cache.

RELATED: Health IT company pays $130K to resolve delayed data breach notification

Still, state prosecutors alleged that, among other violations, the provider was delayed in responding to the breach and failed to maintain a written log of when the FTP site was accessed. In addition to paying the fine, Virtua is required to hire a third-party professional to analyze the group’s security risks.

“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir S. Grewal. 

At the federal level, the Office for Civil Rights (OCR) may be “expecting a greater level of vendor due diligence under HIPAA,” according to two attorneys with Davis Wright Tremaine LLP. The pair cited comments made by Serena Mosley-Day, OCR’s acting senior advisor for HIPAA compliance and enforcement, at the National HIPAA Summit in March, who suggested covered entities may need to perform more due diligence for newer companies that become business associates than well-known service providers with a proven track record of compliance.