[BreachExchange] Defunct Georgia Vendor Responsible for Exposing Virtua Medical Group Patient Files Online Agrees to $200, 000 Settlement

[Destry Winant]

https://www.insidernj.com/press-release/defunct-georgia-vendor-responsible-exposing-virtua-medical-group-patient-files-online-agrees-200000-settlement/

NEWARK – Attorney General Gurbir S. Grewal and the New Jersey Division
of Consumer Affairs today announced a $200,000 settlement with a
now-defunct Georgia company responsible for a 2016 security lapse that
allowed the public to view online patient records belonging to more
than 1,650 individuals treated by doctors associated with Virtua
Medical Group (“VMG”), a southern New Jersey network of medical and
surgical practices.

The settlement with ATA Consulting LLC, which did business as Best
Medical Transcription, and its owner, Tushar Mathur, resolves
allegations that the company violated the federal Health Insurance
Portability and Accountability Act (“HIPAA”) and the New Jersey
Consumer Fraud Act (“CFA”) in connection with a server
misconfiguration that publically exposed the private health
information – including the names and medical diagnoses – of up to
1,654 individuals treated at Virtua Surgical Group in Hainesport,
Virtua Gynecological Oncology Specialists, and Virtua Pain and Spine
Specialists in Voorhees.

In addition to civil penalties and reimbursement of attorneys’ fees
and costs, the settlement with Best Medical Transcription permanently
bars Mathur from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by
vigorously enforcing the laws safeguarding their personal health
information,” said Attorney General Grewal. “Our action against Best
Medical Transcription demonstrates that any entity that fails to
comply with its duty to protect private health records of New Jersey
patients will be held accountable.”

“Patient privacy laws don’t just apply to doctors, they also apply to
vendors like Best Medical Transcription, which provided medical
transcription services to Virtua Medical Group,” said Paul R.
Rodríguez, Acting Director of the Division of Consumer Affairs. “Our
settlement with Best Medical Transcription sends a message that New
Jersey requires compliance from all entities bound by patient privacy
standards.”

The server misconfiguration occurred in January 2016. All potentially
affected patients, which included 1,617 New Jersey residents, were
notified about the security breach in March 2016.

The security breach occurred when Best Medical Transcription,
contracted to transcribe dictations of medical notes, letters, and
reports by doctors at the three VMG practices, updated software on a
password-protected File Transfer Protocol website (“FTP Site”) where
the transcribed documents were kept. During the update, the vendor
unintentionally misconfigured the web server, allowing the FTP Site to
be accessed without a password.

After the FTP Site became unsecured, Internet searches using search
terms containing any of the dictation information, such as patient
names, doctors’ names or medical terms, would have been able to
locate, access and download the exposed documents from the FTP Site,
the Division investigation found.

On January 22, 2016, VMG received a phone call from a patient
indicating that her daughter found portions of her medical records
from Virtua Gynecological Oncology Specialists through a Google web
search. The Division’s investigation found that at that time, VMG was
not aware of the source of the information viewed by the daughter
because Best Medical Transcription had not notified them of the
security breach.

In April 2018, VMG agreed to pay over $417,000 and improve its data
security practices to settle allegations that it failed to conduct a
thorough analysis of the risk to the confidentiality of the electronic
protected health information (“ePHI”) it sent to Best Medical
Transcription, and failed to implement security measures to reduce
that risk, in violation of HIPAA.

As a result of its investigation, the State alleged the defendants
engaged in violations of HIPAA’s Security Rule, Breach Notification
Rule, and Privacy Rule with regard to the defendants’ role in the data
breach, including:

Failing to conduct an accurate and thorough risk assessment of the
potential risks and vulnerabilities to the confidentiality, integrity,
and availability of ePHI it held;
Failing to implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to comply with
the Security Rule;
Failing to implement policies and procedures to protect ePHI from
improper alteration or destruction;
Failing to notify VMG of the breach of unsecured PHI; and
Improperly using and/or disclosing ePHI in contravention of its
obligations under its Business Associate Agreement with VMG.
The State further alleged that the public exposure of at least 462
patients’ doctors’ letters, medical notes, and other reports, and Best
Medical Transcription’s violations of HIPAA’s Security Rule, Breach
Notification Rule and Privacy Rule, constituted separate and
additional unconscionable commercial practices, in violation of the
CFA.

As of June 2017, Best Medical Transcription has dissolved as a
business, a process which it undertook independent of the State’s
investigation. Pursuant to the Final Consent Judgment resolving the
State’s allegations, Mr. Mathur agreed to no longer serve as an
officer, director, trustee, member of an executive board or similar
governing body, principal, manager or stockholder owning 10% or more
of the aggregate outstanding capital stock of all classes of any
corporation in New Jersey.

The defendants agreed to a $200,000 settlement amount, comprised of
$191,492.00 in civil penalties and $8,508 in reimbursement of the
State’s attorneys’ fees and investigative costs. Under the terms of
the Final Consent Judgment, the defendants agreed to pay $30,508.00 of
the settlement amount within 30 days of the effective date of the
settlement. Based on the defendants’ agreement to the business
practices and permanent injunctive relief, and their representations
regarding their current financial condition, the State agreed to
suspend the balance of the settlement, provided the defendants comply
with the terms of the Final Consent Judgment.

Investigator Aziza Salikhova of the Division of Consumer Affairs’
Cyber Fraud Unit conducted this investigation.

Deputy Attorneys General of the Affirmative Civil Enforcement Practice
Group Carla S. Pereira and Elliott M. Siebers represented the State in
this matter.