Best Medical Transcription settled with the New Jersey Attorney General for $ 200,000 for its role in the breach of 1,654 Virtua Medical Group patients in January 2016.
As part of the settlement, the owner of Best Medical Transcription also is barred from ever owning or managing a business within the state again.
In January 2016, the transcriptionist vendor accidentally uploaded 1,654 patient files of Virtua to an FTP server that was left open to the public, with no need for authentication. What’s worse is that these files were indexed by Google and could then be found using key search terms from those patient files.
The cause? Password protection was removed during a software update.
As a result, Virtua ended its contract with the vendor in response to the breach, while Best Medical dissolved in 2017. The New Jersey AG office began investigating the incident shortly afterward.
In April 2018, Virtua was fined $ 418,000 by the New Jersey AG for its role in the breach. The AG found Virtua not only failed to conduct a thorough risk analysis of patient data confidentiality sent to its transcriptionist, it didn’t implement the necessary security measures to reduce that risk.
Virtua also failed to create a security awareness and training program, while there were “unacceptable delays” in both identifying and responding to the breach.
WHY IT MATTERS
Simply fining Virtua was not enough. The third-party vendor was also responsible for the misconfiguration, hence the severity of the fine and the disbarment from performing business in the state.
“Patient privacy laws don’t just apply to doctors,” Paul Rodríguez, acting director of the division of consumer affairs, said in a statement. “Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”
The settlement for both Virtua and the now defunct Best Medical Transcription serves as an important reminder that organizations need to routinely assess and validate the security measures of their third-party vendors and business associates.
As Jane Harper, Henry Ford Health System director of privacy and security risk management, often reminds the industry: Vendor management security should be built like a marriage, continuing to assess and manage compliance.