On April 4, 2018, New Jersey Attorney Gurbir S. Grewal and the NJ Division of Consumer Affairs announced that they would levy fines against Virtua Medical Group, P.A. (VMG), a network of over 50 medical and surgical practices located throughout South NJ, after the records of over 1600 patients were released publicly due to a server error with a private vendor. VMG agreed to pay a total of $417,816 to the Division for the data leak and various other infractions, and to make efforts to improve their data security practices.
An Extensive Healthcare Network
VMG is part of Virtua Health Inc. (or simply Virtua), a non-profit based in southern NJ and the largest provider of healthcare in the region. The records leaked – which included names, diagnosis and prescription data – came from a total of 1654 patients served by three facilities of the VMG, Virtua Surgical Group, Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists. The security breach occurred in January 2016 after Best Medical Transcription, an outside vendor VMG hired to transcribe dictations for the three facilities, accidentally misconfigured security settings on their own server.
The Contractor’s Mistake Exposed Data to Search Engines
A mistake committed during a software update for the File Transfer Protocol (FTP) website where the transcribed documents were kept remove the site’s protection and made all of the information publicly viewable to search engines. Anyone who typed in words or phrases contained in the files into an engine such as Google could come across the protected health information (PHI) of those patients. VMG notified everyone who could have been potentially affected by the breach, but even after restoring the security settings and removing the files themselves, indexed caches of the data remained publicly visible on the Internet.
The Final Owner of the Data is Responsible for a Breach
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
The FTP was hosted by another party subcontracted by Best Medical Transcription to access relevant files in order to complete the terms of the contract with Virtua for transcription services. VMG claims that it was unaware of the additional involvement until after the breach has occurred.
Third Parties Must be Vetted for Cybersecurity
Best Medical Transcription failed to notify VMG of the data breach and they only learned of it when a patient contacted them directly after her daughter discovered the records during a Google search. The Division found that VMG had violated several more directives of the Health Insurance Portability and Accountability Act (HIPAA), including a failure to adopt a security awareness and training program for all VMG members as well as also establishing a process to make and retrieve copies of the files stored on the FTP website.
VMG may have also inadvertently violated the general standards of the FTC’s Security Rule and Privacy Rule regulations which apply to HIPAA. Attorney General Grewal’s office and the Division accuse Virtua of not conducting a risk assessment of Best Medical Transcription to determine the safety of the PHI they provided access to.
Protection of Sensitive Medical Data is Integral to Compliance
“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Grewal. “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it.”
As part of the settlement, VMG has agreed to implement a Corrective Action Plan to address their information security practices, part of which will entail contracting a third party to conduct a review of their current PHI vulnerabilities so that a report with those findings included can be submitted to the Division within 180 days of their agreement. VMG will also be required to submit a report every two years afterwards.
Personal Information Must be Protected at All Times
As illustrated by this incident and the final ruling, certain modern data privacy regulations require you to ensure secure network conditions for all involved parties to maintain compliance. The inherent value of Non-public Personal Information (NPI) and the ubiquity of cybertheft necessitate additional precautions for data security for even more sensitive segments such as PHI. Not taking every measure to protect your clients’ NPI can you put at risk of losing business as well as being penalized for noncompliance with government regulations.
Contact us to find out more about how we can help you safeguard your data.