The Attorney General of New Jersey and the New Jersey Division of Consumer Affairs (“Division”) have announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians affiliated with more than fifty southern New Jersey medical and surgical practices, has agreed to pay over $400,000 and enter into a corrective action plan, to resolve allegations by the Division related to a vendor’s data breach. The Attorney General, in its capacity as enforcer of both the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA), alleged that VMG failed to conduct a thorough analysis of the risk to the confidentiality of electronic protected health information (“ePHI”) sent to its third-party vendor and that its failure to implement security measures to reduce that risk violated HIPAA’s Security Rule.
The third-party vendor, a Georgia medical transcription service, subcontracted to a company in India, which unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website (“FTP Site”), allowing the FTP Site to be accessed without a password. As a result, the sensitive documents became publicly available via a Google search of terms contained within the transcriptions. Even after the password protection was restored, Google retained cached indexes of the files, which remained publicly accessible on the Internet until removed over one month later. VMG apparently had a HIPAA Business Associate Agreement in place that required the Georgia transcription service to similarly bind subcontractors and to notify VMG of any security incidents. But VMG was unaware of the India subcontractor and was not advised of the security incident within the contractual timeframe.
The Division alleges that, at the time of the incident, VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the breach, including:
- Failing to implement a workforce security awareness and training program;
- Delaying in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome;
- Failing to establish and implement procedures to create and maintain retrievable exact copies of the electronic PHI maintained on the FTP Site;
- Improperly disclosing the PHI of its patients; and
- Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.
The Division also alleged that the public exposure of the ePHI of at least 462 patients (ultimately VMG notified over 1,500 potentially affected patients), and VMG’s violations of HIPAA, constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. See the Division press release here.
Medical practices and other healthcare providers that are covered entities under HIPAA should take heed. Although it was a third-party vendor that caused the breach, VMG was held accountable by the Division because it was VMG’s patient data and their responsibility to protect it, and because the Division’s position was that VMG should have conducted a risk assessment of its Business Associate and implemented necessary safeguards. Another warning: It could be the State Attorney General, not the federal Office for Civil Rights, who investigates and prosecutes you for HIPAA violations, whether yours or those of your vendors. As the Division Director has warned: “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
Third-party risk in the HIPAA realm is a focus of the upcoming free seminar: “Practical Steps and Expert Advice to Consider When Implementing an Enterprise Risk Management Plan – Financial Management and Human Resources“ being held on Thursday, April 26th at the Indian Cultural Center in Marlton, New Jersey.