New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.
Protected Health Information of 1,654 Patients Was Accessible Through Search Engines
Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.
In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.
In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.
The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.
While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.
New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.
Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.
“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”
HIPAA-Related Fines and Settlements with Attorneys General in 2018
While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.
| State | Covered Entity | Amount | Individuals affected | Settlement/CMP |
| New Jersey | Best Transcription Medical | $200,000 | 1,650 | Settlement |
| Washington | Aetna | TBA | 13,160 | Settlement (Multi-state action) |
| Connecticut | Aetna | $99,959 | 13,160 | Settlement (Multi-state action) |
| New Jersey | Aetna | $365,211.59 | 13,160 | Settlement (Multi-state action) |
| District of Columbia | Aetna | $175,000 | 13,160 | Settlement (Multi-state action) |
| Massachusetts | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Settlement |
| New York | Arc of Erie County | $200,000 | 3,751 | Settlement |
| New Jersey | Virtua Medical Group | $417,816 | 1,654 | Settlement |
| New York | EmblemHealth | $575,000 | 81,122 | Settlement |
| New York | Aetna | $1,150,000 | 12,000 | Settlement |
The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.