A New Jersey health network will pay roughly $418,000 after a private vendor’s server misconfiguration exposed patient medical records.

Physician network Virtua Medical Group, P.A., also known as VMG, agreed to the payment after the New Jersey attorney general and the state Division of Consumer Affairs alleged the network violated HIPAA by failing to conduct a thorough risk analysis of the patient health records it sent to the vendor and failing to take steps to reduce those risks.

The resulting breach made medical information of more than 1,650 patients available on the internet.

“This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough,” Sharon M. Joyce, Acting Director of the Division of Consumer Affairs, says. “You must fully vet your vendors for their security as well.”

The exposure of protected health information (PHI) occurred when a server from the vendor Best Medical Transcription was misconfigured in January of 2016 during an update, making patient information viewable through Google and patient documents downloadable.

Best Medical Transcription did not notify VMG of the breach, and VMG only became aware of the incident when a patient’s relative told them about the exposed information on January 22. VMG conducted an internal investigation and notified the State Police and FBI on February 4.

The network also submitted a request to Google to remove the site from Google’s cache before individually removing 462 patient records officials found on Google. VMG notified all affected patients of the breach in March.

The Division of Consumer Affairs’ investigation into VMG identified several potential violations of the HIPAA Security Rule and Privacy Rule, including:

• Failing to implement a security awareness and training program for all members of its workforce, including management.
• Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
• Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP Site.
• Improperly disclosing the protected health information (“PHI”) of its patients.
• Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The resolution agreement is in line with an expected increase in focus on ensuring healthcare entities adequately vet vendors, particularly newer vendors, by the HHS’ Office for Civil Rights. That expectation follows comments by OCR Acting Senior Advisor for HIPAA Compliance Serena Mosley-Day in March suggesting covered entities may need to further scrutinize the policies and practices of newer business associates, reports Fierce Healthcare.

VMG, which is made up of physicians affiliated with more than 50 medical and surgical practices in South Jersey, agreed to several actions as part of the settlement.

Corrective actions include hiring a third party professional to conduct an analysis of security risks associated with the storage, transmission and receipt of ePHI in VMG buildings. VMG officials will submit a report of those findings to the Division of Consumer Affairs within 180 days and in each of the next two years.

The $417,816 payment includes $407,184 in civil penalties and $10,632 in reimbursement of the division’s attorney fees and investigative costs.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content