For failing to protect the privacy of its patients, Virtua Medical Group, composed of hundreds of South Jersey doctors, has agreed to pay $418,000 and improve data security protocols, state officials announced Wednesday.
In January 2016, the daughter of a patient found portions of her mother’s medical records online while doing a Google search. An investigation found that confidential records for more than 1,650 patients were left unsecured after one of the medical group’s vendors updated its commercial software and reconfigured its computer server. The move rendered the files, which were cached by Google, to be publicly exposed and viewed by anyone without a password.
The group, an alliance of doctors affiliated with Virtua Health, was blindsided by the breach and agreed to the settlement with the state on March 1. The settlement document described the breach as an “unconscionable commercial practice.”
The vendor, Best Medical Transcription of Georgia, had been hired to transcribe notes, letters and reports from patients who had been treated by Virtua gynecologic oncology specialists in Voorhees, the Virtua Surgical Group in Hainesport, and Virtua Pain and Spine Specialists in Voorhees. The records were removed from the internet. VMG severed its contract with the transcription company.
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, acting director of the New Jersey Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security, as well.”