New Jersey fines Virtua Medical $418,000 for HIPAA breach
The New Jersey Attorney General fined Virtua Medical Group for more than $418,000 after a misconfigured database breached the protected information of 1,654 patients in January 2016. 1,617 of those patients resided in the Garden State.
The attorney general found that Virtua failed to conduct a thorough analysis of the risk to the confidentiality of patient data sent to its third-party vendor. Further, officials said the medical group didn’t implement security measures that would reduce that risk, which violated HIPAA.
The investigation also found that Virtua didn’t have a security awareness and training program in place for its staff, and there were also “unacceptable delays” in identifying and responding to the breach.
Established procedures to keep track of what type of PHI was maintained on the site were also found to be lacking, as was a written log of the number of times the database was accessed or maintained.
Best Medical Transcription, Virtua’s business associate contracted to transcribe dictations of medical notes and reports, failed to keep an online database of this information private after it updated its FTP server. During this process, it accidentally removed password protection.
As a result, the database could have been accessed by anyone without authentication. Not only that, but the FTP server contents were indexed by search engines, which gave access to those who searched for terms that were contained in the notes.
To make matters worse, Best Medical Transcription discovered the potential breach and didn’t notify Virtua.
“Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it,” Attorney General Gurbir Grewal said in a statement. “When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
“This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well,” said Sharon M. Joyce, acting director of the Division of Consumer Affairs, in a statement.
As part of the settlement and fine, Virtua agreed to a corrective action plan that includes hiring a third-party security professional to establish a comprehensive risk analysis, along with performing a risk assessment every two years.
The settlement comes in the wake of a disturbing trend of providers leaving data exposed online, many stemming from misconfigured databases. That list includes Accenture, BJC Healthcare, Long Island providers Cohen, Bergman, Klepper, Romano MDs, Alteryx, and a whole list of others.
These breaches can be avoided by a thorough examination of business associate agreements to ensure third-party vendors have security tools in place to prevent these types of breaches, in addition to a company’s own stringent security plans that scan for misconfigurations and other errors.