New Jersey regulators sanction practice after breach
New Jersey’s Division of Consumer Affairs is levying a fine against Virtua Medical Group after the provider organization suffered a breach that released the protected health information of several hundred of its patients two years ago.
The network of physicians, which spans more than 50 South Jersey practices and part of the Virtua Health delivery system, will pay a total of $417,816 and improve data security following a breach of protected health information affecting 1,654 patients whose health records were found to be viewable on the Internet because of a server misconfiguration by a vendor in January 2016.
Virtua Medical Group hired a vendor to transcribe dictations of medical notes, letters and reports by physicians at three practices, and the vendor then updated software on a password-protected File Transfer Protocol web site to house the transcribed documents.
However, the server misconfiguration by the vendor made the site where the documents were stored accessible without a password, making it possible for information on the unsecured FTP site to be pulled up in a Google search. The investigation further found that even after password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet.
Later that January, a patient called Virtua Medical Group and informed the organization that her daughter found parts of her medical record on Google. The New Jersey Division of Consumer Affairs investigated the breach and found that Virtua Medical Group did not know that data was available because the transcription vendor never notified Virtua about the security breach. That launched an investigation by Virtua Medical Group, the New Jersey State Police and the FBI. The provider eventually resolved the problem and eliminated the ability for the information to be accessed.
In making the determination to sanction Virtua Medical Group, the Division of Consumer Affairs determined the organization had failed to implement a security awareness program; delayed in identifying and responding to the data breach; failed to appropriately create and maintain exact copies of protected health information on the FTP site, which improperly disclosed information; and failed to maintain a log of the number of times the FTP site was accessed.
Consequently, Virtua Medical Group agreed to a comprehensive two-year corrective action plan and paid $407,184 in civil penalties and $10,632 to reimburse the Division of Consumer Affairs costs for the investigation.
Virtua Health issued the following statement on the incident:
“In March 2018, Virtua Medical Group (VMG) reached an agreement with the NJ Attorney General’s Office regarding an incident involving patient information that occurred in 2016. VMG was made aware that a transcription vendor had inadvertently allowed patient information to be accessible via an internet search engine. VMG addressed the issue, notified patients who were potentially impacted, and complied with its federal and state reporting obligations. VMG ceased working with the transcription service immediately after the issue was discovered. VMG is committed to protecting the security and confidentiality of our patients’ information and regrets that this incident occurred. VMG has confidence that the steps taken at that time, and since, are effective in protecting the privacy of our patients’ medical information.”