Virtua Medical Group, a health network with more than 50 medical and surgical practices in southern New Jersey, has agreed to pay a $417,816 fine to settle allegations that it failed to properly protect its patients’ privacy. The State Office of the Attorney General (AG) and Division of Consumer Affairs announced the settlement in a joint press release on April 4. The settlement is notable as one of the few instances to date in which state regulators have stepped in to enforce HIPAA rules in connection with a data breach.A medical transcription vendor’s misconfiguration of a computer server allowed the medical information of up to 1,654 of Virtua’s patients to be accessible on the internet without a password from January to March 2016. According to the AG’s press release, the affected patients were treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees. Virtua’s multi-specialty network includes 500 clinicians as well as hospitals, urgent care centers, and other facilities and services.
Upon investigating the data breach, the New Jersey authorities determined that Virtua had failed to implement a security awareness and training program for its workforce, to properly respond to and mitigate the harmful effects of the breach, and to otherwise follow proper procedures under the HIPAA Security and Privacy Rules, among other things. The settlement requires Virtua to implement a Corrective Action Plan and improve its data security practices.
In the press release, the Division of Consumer Affairs’ acting director said, “Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it. This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
No action has been taken against Virtua’s Georgia-based vendor, Best Medical Transcription.