NJ medical group fined $418K for HIPAA business associate error

Virtua Medical Group, comprised of more than 50 medical practices across New Jersey, agreed to a fine of more that $418,000 by the state attorney general. An investigation found that the records of about 1,600 patients were exposed. What makes this situation unique, however, is that the server in question was operated by a third-party business associate - in this case a transcription vendor. 

The Virtua breach occurred in January 2016 when transcription services vendor Best Medical Transcription updated the software associated with a File Transfer Protocol (FTP) website which inadvertently reconfigured the server to allow access without a password so patient records were searchable via Google. Even after Best Medical fixed the misconfiguration shortly after it was discovered, cached indexes of the records remained accessible on Google.
But the company never notified Virtua. Instead, the medical practice found out about the breach after a patient’s mother called to report she found portions of her daughter’s medical record online. Two weeks later, Virtua notified law enforcement and individually removed each patient’s information from Google’s cache.
Still, state prosecutors alleged that, among other violations, the provider was delayed in responding to the breach and failed to maintain a written log of when the FTP site was accessed. In addition to paying the fine, Virtua is required to hire a third-party professional to analyze the group’s security risks.

No fine for Best Medical? Business Associates are expected to adhere to the same standards as Covered Entities, though it appears in this case they got off easy. Is it an anomaly? If anything, it is a clear signal to Covered Entities that they must be properly vetting their Business Associates to ensure that they are working with organizations who understand and can comply with HIPAA requirements.