Virtua Medical Group, a network of physicians affiliated with more than 50 South New Jersey-based medical and surgical practices, agreed to pay $417,816 to settle allegations it failed to secure more than 1,650 patients medical records when they were made accessible online.
The breach resulted from a private vendor's server misconfiguration error that occurred in January 2016. That vendor, Best Medical Transcription, unintentionally misconfigured the web server and allowed VMG's File Transfer Protocol website — a password-protected site that hosts transcribed documents — to be viewable without a password.
The New Jersey Division of Consumer Affairs, which investigated the incident, alleged VMG did not conduct a thorough analysis of the risk associated with electronically sharing protected health information with its third party and it failed to implement security measures, which amounted to a HIPAA violation.
"Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server," New Jersey Attorney General Gurbir Grewal said in a press release. "Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken."
VMG agreed to implement a corrective action plan to address its third-party's conduct via an analysis of security risks associated with the storage, transmission and receipt of ePHI. It also agreed to pay $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the state's attorneys' fees and investigative costs.
More articles on cybersecurity:
Nature retracts controversial 2017 study on potential CRISPR gene-editing errors
Hyland completes acquisition of Allscripts' OneContent business
Study: Restricting EHR notifications saves VA providers 1.5 hours per week