Business Associate Pays $200,000 to New Jersey for Virtua Medical Data Breach

Best Medical Transcription agreed to pay a $200,000 settlement to the New Jersey Attorney’s office to resolve HIPAA violations discovered while investigating a 2016 breach in which the protected health information (PHI) of 1,650 individuals was exposed and accessible via search engines.

Best Medical Transcription was contracted to provide transcription services to Virtua Medical Group, a group of medical and surgical practices located in southern New Jersey. It was discovered in January 2016 that Best Medical Transcription had uploaded transcribed files to a File Transfer Protocol (FTP) website, but the website lacked authentication controls. While a password was usually required, that security control had been accidentally removed during a software upgrade. The files were accessible through the search engines and could be found with a standard Google search.

The New Jersey attorney general, together with the New Jersey Division of Consumer Affairs, conducted an investigation of the breach and determined that Virtua Medical Group should have taken steps to prevent the exposure of ePHI. In April 2018, Virtua Medical Group settled with the New Jersey attorney general’s office and agreed to pay $417,816 to resolve the HIPAA violations.

ATA Consulting LLC, dba Best Medical Transcription, was also investigated over the breach and was found to have violated HIPAA Rules. New Jersey claimed Best Medical Transcription violated the HIPAA Security Rule, HIPAA Privacy Rule and HIPAA Breach Notification Rule. New Jersey alleged Best Medical Transcription did not perform a comprehensive risk assessment of potential hazards to the integrity, confidentiality and availability of ePHI.

Appropriate security measures had not been implemented to reduce risk, policies and procedures had not been implemented to prevent the alteration or deletion of ePHI and Best Medical Transcription failed to notify Virtua Medical Group of the breach and that the terms of its business associate agreement had been violated.

Business owner Tushar Mathur will pay $191,492 to New Jersey as acivil monetary penalty for the HIPAA violations, and $8,508 to cover legal fees and expenses. Peculiarly, Mathur has also been barred from managing or owning any business in the state of New Jersey.