On November 2, 2018, the Office of the NJ Attorney General and the NJ Division of Consumer Affairs (collectively, the “State”) announced a $200,000 settlement with the now-dissolved ATA Consulting, LLC, which did business as Best Medical Transcription, (“Best Medical”), and its owner, Tushar Mathur. The settlement resolves allegations involving Best Medical’s role in a 2016 breach that affected more than 1,650 patients of Virtua Medical Group (“VMG”), a network of medical and surgical practices in southern New Jersey. Notably, in addition to civil penalties and reimbursement of attorneys’ fees and investigative costs, the settlement permanently bars Mathur from managing or owning a business in New Jersey.

VMG had contracted with Best Medical for the provision of transcription services. Specifically, three VMG practices submitted dictations of doctors’ letters, medical notes, and other reports to Best Medical through a telephone recording service. Best Medical would then upload the recorded sound files to a password-protected File Transfer Protocol (“FTP”) site and Best Medical’s subcontractor transcribed the dictations into text documents, which were subsequently posted on the FTP site.

In January 2016, it was discovered that the FTP site was inadvertently misconfigured by Mathur during a software update, which changed the security restrictions such that the FTP site was accessible over the internet without the need for any authentication. The files had been indexed by Google, which meant that an individual conducting a Google search using search terms that happened to be included in the dictations could have obtained search results with links to access and download the exposed files. VMG learned of the incident when it received a phone call from a patient indicating that her daughter had found portions of her medical records through a Google web search. VMG had not received notice of the breach from Best Medical.

Based upon its investigation, the State alleged that the defendants had violated the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. The State’s allegations included the defendants’: (i) failure to conduct an accurate and thorough risk assessment; (ii) failure to implement adequate security measures; (iii) failure to notify VMG of the breach; and (iv) failure to document a satisfactory business associate agreement with their subcontractor.

In April 2018, VMG entered into a settlement with the State to resolve allegations that it had failed to conduct a risk analysis regarding the confidentiality of protected health information sent to Best Medical and had failed to implement adequate security measures. VMG agreed to pay over $417,000 and to improve its data security practices.

The Office of the NJ Attorney General news release regarding this case is available here.

Our take

Although covered entities may be held responsible for the breaches experienced by their business associates, vendors may also be held directly responsible. In this case, both the covered entity and business associate were fined by the State of NJ. However, this case demonstrates that penalties for HIPAA violations are not limited to fines. Covered entities and business associates alike must take their HIPAA compliance programs seriously, as a single breach may devastate a business and destroy its owners’ careers.