When a business entrusts its customers’ personal information to a third party, and that third party fails to properly protect the information, both entities may pay a price. Now, the New Jersey Attorney General has shown that the price can include a ban on a business owner ever again managing or owning a business in New Jersey.
As previously noted in this blog, ATA Consulting, LLC (“ATA”), a Georgia medical transcription service retained by Virtua Medical Group (“VMG”), had subcontracted VMG’s medical transcription work to a company in India. That company unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website, allowing the site to be accessed without a password. As a result, some of VMG’s patient information became publicly available via a Google search of terms contained within the transcriptions.
VMG had a HIPAA Business Associate Agreement in place with ATA which, typically, would require ATA to comply with HIPAA’s Privacy and Security Rules and the federal Data Breach Notification Rule, and to bind its subcontractors to the same. The New Jersey Attorney General alleged that ATA failed to comply with many requirements of those laws and that each and every violation constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. Those violations involved the public exposure of information in 462 patient records, requiring notice to over 1,500 patients. While the settlement resolves the Attorney General’s allegations, it does not limit or otherwise affect private rights of action of anyone not a party to the settlement. In addition to a $200,000 penalty (much of it suspended due to ATA’s financial condition), ATA’s owner is barred from managing or owning any business in New Jersey, an enforcement measure that shows the Attorney General’s aggressive stance against those who don’t take seriously their obligations regarding protected personal information.
Cybersecurity is not just about criminal hackers. When businesses assess their cybersecurity status and what measures they must take to protect customer and employee information, third-party risk from vendor relationships should not be overlooked. These measures will be discussed on November 29th at Alloy Silverstein’s 2018 Security Symposium: Threat and Crisis Management for the Modern Workforce, at the DoubleTree Suites in Mount Laurel, New Jersey.