The New Jersey Attorney General’s Office financially penalized Virtua Medical Group for its failure in protecting the privacy of over 1,650 patients. The protected health information of the patients was exposed because of a misconfigured server resulting to public access of the medical information online without authentication.
Virtua Medical Group is a network of physicians affiliated with more than 50 medical practices in New Jersey. The misconfigured server was not directly the fault of Virtua Medical Group. It was a business associate of Virtua Medical Group that made the error. Best Medical Transcription transcribes audio files of medical notes, reports and letters for three of New Jersey medical practices namely Virtua Gynecological Oncology Specialists, Virtua Pain and Spine Specialists in Voorhees and Virtua Surgical Group in Hainesport.
Best Medical Transcription uploads transcribed notes to a password-protected FTP website. But an error occurred in January 2016 while upgrading software on the FTP server. Password protection was disabled so that the transcribed patient data became accessible to anyone without requiring authentication. Then, the search engines indexed the content of the FTP server. Hence, typing certain search terms allowed portions of the transcribed notes to show up. As an example, one patient performed a Google search of his name and he found some of her medical records online. The information of about 1,650 patients how visited the three medical centers was exposed. It included names, prescriptions and medical diagnoses.
Upon discovering the privacy breach, Best Medical Transcription enabled the FTP server’s password protection again on January 15, 2016. But the caches of the information remained available to searchers online. One week after, a patient still found her daughter’s medical records online and informed Virtua Medical Group.
Since becoming aware of the potential breach, Best Medical Transcription did not notify Virtua Medical Group about it. An investigation of the incident revealed that the medical records of 462 patients were indexed by the search engines. Virtua Medical Group had to request from Google to take down the information. The patients were also notified of the breach in March 2016.
The New Jersey Division of Consumer Affairs investigated the breach and determined that Virtua Medical Group had failed to comply with HIPAA rules in the following aspects:
- in conducting a comprehensive risk analysis
- insufficient implementation of security protections
- did not conduct employee security awareness training
- unreasonable delay in identifying and responding to the breach
- no written logs of FTP access
- impermissible disclosure of patients’ ePHI
Though the breach and violations of the HIPAA Privacy Rule, HIPAA Security Rule and the New Jersey Consumer Fraud Act were directly the fault of a business associate, Virtual Medical Group was penalized. The medical group had to pay $10,632 and $407,184 for investigation costs and attorney’s fees. In addition, Virtua Medical Group had to implement a corrective action plan.