New Jersey sanctions transcription vendor, provider over breach
The New Jersey Division of Consumer Affairs has permanently barred and heavily fined a healthcare transcription vendor while chastising a provider organization.
The action prevents the vendor, ATA Consulting, from managing or owning a business in the state; the steps were taken following a data breach that affected 1,654 patients of the provider organization, Virtua Medical Group, a network of medical and surgical practices, which also was fined.
Attorney General Gurbir Grewal and the consumer affairs division announced a $200,000 settlement against Tushar Mathur, owner of ATA Consulting, which also did business as Best Medical Transcription. The regulators charged the company was responsible for a security breach in January 2016 that resulted in patients’ protected health information being made viewable online as a result of a server misconfiguration. Affected individuals were notified in March 2016.
Best Medical Transcription had contracted with the clinicians to transcribe dictated medical notes, letters and reports, and the vendor updated software on a password-protected website. But during the update, Best Medical Transcription inadvertently misconfigured the web server, making the site accessible without a password. That means all of the PHI could easily be found via Google searches.
Virtual Medical Group learned of the breach in January 2016 when a patient called and told the practice that her daughter found parts of her medical records from the group practice through a Google search.
The division of consumer affairs investigated and learned that Virtua Medical Group had not known the records were available because Best Medical Transcription did not notify it of the breach.
Virtual Medical Group also was fined more than $417,000 and agreed to improve its data security practices after regulators learned it failed to conduct a comprehensive risk analysis and failed to implement measures to reduce the risk.
“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” Grewal says. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable.”