NJ AG states “having a good handle on your own cybersecurity is not enough”: vendors’ security must be vetted as well

 

 

UPDATE

The Attorney General’s office also filed charges against the transcription service, ATA Consulting LLC, operating as Best Medical Transcription. In November 2018, Best Medical Transcription settled allegations related to a 2016 security lapse that made public — through Google web searches — the medical records of 1,654 patients treated by Virtua Medical Group doctors, the New Jersey Attorney General’s Office said Friday.

The settlement with New Jersey which amounts to $200,000

The $200,000 settlement with New Jersey resolves the alleged violations to the federal Health Insurance Portability and Accountability Act concerning patient information and the New Jersey Consumer Fraud Act, the attorney general’s office said.

Best Medical Transcription dissolved in 2017 and its owner, Tushar Mathur, agreed to no longer be a business owner in New Jersey.


On April 4, 2018, Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians, has agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

The NJ Division alleged that VMG’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information it sent to a third-party vendor, and its failure to implement security measures to reduce that risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.”

 

The press release is available at http://nj.gov…

 

For more information contact Francesca Giannoni-Crystal

Follow us on& Like us on