1600 Healthcare Records Exposed In Virtua Data Breach: AG

The records of more than 1,650 Virtua patients — including a woman’s gynecological records — were left exposed online, and now the medical group must pay $417,816, Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced on Wednesday. Virtua Medical Group (VMG) must also improve improve data security practices as part of the settlement.

In January of 2016, a woman reported that her daughter had discovered portions of her medical records from Virtua Gynecological Oncology Specialists via Google search, according to a copy of the settlement provided by the Attorney General’s Office. An ensuing investigation revealed that a server misconfiguration by private vendor Best Medical Transcription had left the records of 1,617 patients exposed online.

During a software update earlier in the month, security restrictions were inadvertently removed, allowing anyone to access these records without a password, according to authorities. Georgia-based Best Medical Transcription was updating the File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept, and the records accidentally became viewable by anyone.

After the FTP Site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP Site, according to authorities.

Authorities alleged that VMG’s failure to conduct a thorough analysis of the risks involved with sending the electronic protected health information to Best Medical Transcription, and its failure to reduce any risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” Division of Consumer Affairs Acting Director Sharon M. Joyce said. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”

Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP Site, and restored the password protection on Jan. 15, authorities said. However, Google retained cached indexes of the files which remained publically accessible on the internet.

It was after this that the woman found her mother’s gynecology records online. At the time, Best Medical Transcription had not informed VMG of the data breach. Following its investigation, VMG contacted the New Jersey State Police and the FBI to report the security incident, on Feb. 4.

That same day VMG placed a request to remove the entire FTP Site from Google’s cache. Additionally, VMG went to each of the 462 VMG patient records it had found and identified on Google and, over a period of many hours, successfully removed them, one at a time, from Google, authorities said.

VMG is accused of other violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:

• Failing to implement a security awareness and training program for all members of its workforce, including management;
• Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome;
• Failing to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information maintained on the FTP Site;
• Improperly disclosing the protected health information (“PHI”) of its patients; and
• Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

Authorities further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and VMG’s violations of HIPAA’s Security Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the New Jersey Consumer Fraud Act.

VMG has agreed to implement a Corrective Action Plan that that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission and receipt of electronic protected health information in VMG buildings, and to submit a report of those findings to the Division of Consumer Affairs within 180 days of the settlement and every year thereafter for two years.

VMG also agreed to pay a $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the Division’s attorneys’ fees and investigative costs.

Image via Shutterstock