Photo credit: 18percentgrey/iStockphoto.com

Virtua Medical Group, one of southern New Jersey’s largest health care providers, will pay more than $400,000 in fines and penalties in order to settle claims that it failed to properly protect the privacy of patients whose medical records were made available online, the New Jersey Attorney General’s Office announced Wednesday.

In addition to paying the state $417,816, Virtua will move internally to enhance its data security practices, the statement said.

Virtua, headquartered in Marlton, agreed to the settlement after a Division of Consumer Affairs investigation concluded that the company failed to comply with federal health care data security standards and publicly exposed the medical information, including patient names, medical diagnoses and prescriptions, of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.

The release of the information, which occurred in January 2016, was caused by a badly configured server, the Attorney General’s Office said.

The DCA alleged that Virtua’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronically protected health information it sent to a third-party vendor, and it failed to appropriately implement security measures to reduce that risk, thus violating the federal Health Insurance Portability and Accountability Act.

“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir Grewal in the statement.  “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it.”

The privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters and reports by doctors at the three Virtua practices, updated software on a password-protected File Transfer Protocol website, where the transcribed documents were kept. During the update, however, BMT unintentionally misconfigured the web server, allowing the FTP site to be accessed without a password, the statement said.

After the FTP site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP site, the statement said.

The division said that even after BMT corrected the server misconfiguration, removed the transcribed documents from the FTP site, and restored the password protection on Jan. 15, 2016, Google retained cached indexes of the files that remained publicly accessible on the internet.

On Jan. 22 of that year, Virtua received a phone call from a patient indicating that her daughter had found portions of her medical records from Virtua Gynecological Oncology Specialists on Google. The division’s investigation found that at that time, Virtua was unaware of the source of the information viewed by the daughter because BMT had not notified it of the security breach, the statement said.

After an internal investigation in February 2016, Virtua contacted the state police and the FBI to report the security incident. That same day Virtua asked Google to remove its patients’ records from its cache, the statement said.

The division alleged that Virtua engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:

  • Failing to implement a security awareness and training program for all members of its workforce, including management.
  • Delaying in identifying and responding to the security incident.
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
  • Improperly disclosing the protected health information of its patients.
  • Failing to maintain a written or electronic log of the number of times the FTP site was accessed.

Deputy Attorneys General Russell Smith Jr. and Carla Pereira represented the state. Virtua retained Theodore Kobus III, of the New York office of Baker & Hostetler.

Virtua released a statement after the state’s announcement.

“[Virtua] was made aware that a transcription vendor had inadvertently allowed patient information to be accessible via an internet search engine,” the statement said. “VMG addressed the issue, notified patients who were potentially impacted, and complied with its federal and state reporting obligations. VMG ceased working with the … service immediately after the issue was discovered. VMG is committed to protecting the security and confidentiality of our patients’ information and regrets that this incident occurred.”