Insurance Fraud NEWS
NJ fines vendor behind Virtua Healthcare data breach $200K
November 07, 2018, Atlanta, GA
New Jersey is slapping a $200,000 fine on a defunct Georgia-based medical transcription company that caused the Virtua Medical Group breach impacting more than 1,650 individuals in 2016.
The $200,000 fine includes $191,492.00 in civil penalties and $8,508 in reimbursement of the state’s attorneys’ fees and investigative costs.
This fine is less than half the $418,000 fine levied on Virtua, a network of more than 50 South Jersey medical and surgical practices, by the New Jersey attorney general for the breach.
In April of this year, Virtua agreed to pay the fine and improve its data security practices to settle allegations that it failed to conduct a thorough risk analysis of ePHI it sent to Best Medical Transcription and failed to implement security measures to reduce that risk.
In January 2016, Best Medical Transcription, which provided medical transcription services to Virtua, experienced a server misconfiguration that exposed PHI of up to 1,654 Virtua patients.
The breach occurred when Best Medical Transcription updated software on a password-protected FTP website, where transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP site to be accessed without a password.
As a result, internet searches using terms containing any of the dictation information, such as patient names, doctors’ names, or medical terms, would have been able to locate, access, and download the exposed documents from the FTP site.
In addition to the fine, New Jersey’s settlement with Best Medical Transcription permanently bars the owner, Tushar Mathur, from managing or owning a business in New Jersey.
“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said New Jersey Attorney General Gurbir Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable.”
“Patient privacy laws don’t just apply to doctors, they also apply to vendors like Best Medical Transcription, which provided medical transcription services to Virtua Medical Group,” said Paul Rodríguez, acting director of the state Division of Consumer Affairs. “Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”
As a result of its investigation, New Jersey alleged Best Medical Transcription violated HIPAA’s Security Rule, Breach Notification Rule, and Privacy Rule by:
Failing to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held
Failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule
Failing to implement policies and procedures to protect ePHI from improper alteration or destruction
Failing to notify Virtua of the breach of unsecured PHI
Improperly using and/or disclosing ePHI in contravention of its obligations under its business associate agreement with Virtua
The state further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and Best Medical Transcription’s violations of HIPAA’s Security Rule, Breach Notification Rule, and Privacy Rule, constituted a separate violation of the Consumer Fraud Act.
Best Medical Transcription dissolved as a business in June 2017. As part of the settlement, Mathur has “agreed to no longer serve as an officer, director, trustee, member of an executive board or similar governing body, principal, manager or stockholder owning 10 percent or more of the aggregate outstanding capital stock of all classes of any corporation in New Jersey,” according to the attorney general.
Best Medical Transcription has agreed to pay $30,508 within 30 days of the settlement date. Based on the Mathur’s agreement not to do business in the state and representations regarding his company’s current financial condition, the state has agreed to suspend the balance of the settlement.
Source: Health IT Security