Third-Party Vendor’s Breach leads to Medical Practice’s $400,000 Settlement Payment Under HIPAA and New Jersey Consumer Fraud Act

The Attorney General of New Jersey and the New Jersey Division of Consumer Affairs (“Division”) have announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians affiliated with more than fifty southern New Jersey medical and surgical practices, has agreed to pay over $400,000 and enter into a corrective action plan, to resolve allegations by the Division related to a vendor’s data breach. The Attorney General, in its capacity as enforcer of both the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA), alleged that VMG failed to conduct a thorough analysis of the risk to the confidentiality of electronic protected health information (“ePHI”) sent to its third-party vendor and that its failure to implement security measures to reduce that risk violated HIPAA’s Security Rule.

The third-party vendor, a Georgia medical transcription service, subcontracted to a company in India, which unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website (“FTP Site”), allowing the FTP Site to be accessed without a password.  As a result, the sensitive documents became publicly available via a Google search of terms contained within the transcriptions.  Even after the password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet until removed over one month later. VMG apparently had a HIPAA Business Associate Agreement in place that required the Georgia transcription service to similarly bind subcontractors and to notify VMG of any security incidents.  But VMG was unaware of the India subcontractor and was not advised of the security incident within the contractual timeframe.

The Division alleges that, at the time of the incident, VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the breach, including:

  • Failing to implement a workforce security awareness and training program;
  • Delaying in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome;
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of the electronic PHI maintained on the FTP Site;
  • Improperly disclosing the PHI of its patients; and
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division also alleged that the public exposure of the ePHI of at least 462 patients (ultimately VMG notified over 1,500 potentially affected patients), and VMG’s violations of HIPAA, constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. See the Division press release here.

Medical practices and other healthcare providers that are covered entities under HIPAA should take heed.  Although it was a third-party vendor that caused the breach, VMG was held accountable by the Division because it was VMG’s patient data and their responsibility to protect it, and because the Division’s position was that VMG should have conducted a risk assessment of its Business Associate and implemented necessary safeguards. Another warning:  It could be the State Attorney General, not the federal Office for Civil Rights, who investigates and prosecutes you for HIPAA violations, whether yours or those of your vendors.  As the Division Director has warned: “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”

Third-party risk in the HIPAA realm is a focus of the upcoming free seminar: “Practical Steps and Expert Advice to Consider When Implementing an Enterprise Risk Management Plan – Financial Management and Human Resources“ being held on Thursday, April 26th at the Indian Cultural Center in Marlton, New Jersey.


Cyber Risk Is Not Going Away

In a future that has become more ambiguous than ever, some things are certain. Businesses, including health care entities, will increasingly rely on data and technology in order to conduct their business.  Data containing personal information will continue to be valuable.  The risk of liability for those holding that data will remain, whether the enforcer is at the federal or state level in a regulatory action, or a private citizen filing suit.  Safeguarding data against cyber-attacks and other impermissible disclosures must continue to be a priority for those who use and share data.

In the healthcare world, HIPAA compliance is key.  An example is the November 22nd settlement between the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the University of Massachusetts Amherst (UMass). The settlement includes a corrective action plan and a monetary fine of $650,000 (which would have been more had UMass not been operating at a financial loss in 2015). The trigger for the enforcement action was a UMass workstation that became infected with a malware program, resulting in the wrongful disclosure of electronic protected health information (ePHI) of 1,670 individuals. The malware was a generic remote access Trojan that infiltrated the UMass system, providing unauthorized access to ePHI because UMass did not have a firewall in place.  OCR’s investigation found that UMass failed to conduct an accurate and thorough security risk analysis, failed to have adequate policies and procedures in place, and failed to implement technical security measures.

For healthcare entities and those who handle their data, HIPAA compliance not only is required by law, it is still the most certain way to protect against, prepare for, respond to, and mitigate the effects of a cybersecurity incident.

On Tuesday, December 13, 2016, from 7:30 a.m. to 12:30 p.m., Denise L. Sanders, Esq., will participate in the seminar “Cybercrime:  Facts, Threats, and Countermeasures,” held at Rowan University and hosted by Avasek.  The seminar includes presentations by Mike Geraghty, Director, NJ Cybersecurity & Communications Integration Cell; Philip Frigm, Supervisory Special Agent, FBI Newark Division; and Lt. Cy Bleistine, NJ State Police, Cyber Crimes Unit; along with David Humphreys, Avasek.  As part of an expert panel, Ms. Sanders will address HIPAA and HITECH compliance by healthcare providers facing cybersecurity threats.  To register, please click here.