Global Navigation
Office of The Attorney General
The State of New Jersey Office of The Attorney General (Dept. of Law & Public Safety) The State of New Jersey NJ Home Services A to Z Departments/Agencies OAG Frequently Asked Questions
Services A to Z Departments/Agencies OAG Frequently Asked Questions
OAG Home
OAG Contact
spacer
Back to News Releases
OAG Home Attorney General's Biography
Attorney General's Biography
spacer spacer spacer
   
 
spacer spacer spacer
spacer spacer spacer
For Immediate Release: For Further Information:
April 4, 2018

Office of The Attorney General
- Gurbir S. Grewal, Attorney General
Division of Consumer Affairs
- Sharon M. Joyce, Acting Director
Division of Law

- Michelle Miller, Director
Media Inquiries-
Lisa Coryell
609-292-4791
spacer
Citizen Inquiries-
609-984-5828
spacer
spacer spacer spacer
spacer
Virtua Medical Group Agrees to Pay Nearly $418,000, Tighten Data Security to Settle Allegations of Privacy Lapses Concerning Medical Treatment Files of Patients
spacer
spacer spacer spacer
spacer
view final consent judgement
spacer
spacer spacer spacer
spacer

NEWARK –Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs today announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians exclusively affiliated with more than 50 South Jersey medical and surgical practices, has agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

VMG, a non-profit New Jersey captive Professional Association of Virtua Health Inc. headquartered in Marlton, agreed to the settlement terms after the Division’s investigation concluded that VMG’s failure to comply with federal healthcare data security standards publically exposed the medical information – including patient names, medical diagnoses and prescriptions – of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.

The server misconfiguration occurred in January 2016.  All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in early March 2016.

The Division alleged that VMG’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information (“ePHI”) it sent to a third-party vendor, and its failure to implement security measures to reduce that risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir S. Grewal.  “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it.  When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
The VMG privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.

After the FTP Site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP Site, the Division investigation found. 

“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.”

The Division’s investigation found that even after Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP Site, and restored the password protection on January 15, Google retained cached indexes of the files which remained publically accessible on the internet.

On January 22, VMG received a phone call from a patient indicating that her daughter had found portions of her medical records from Virtua Gynecological Oncology Specialists on Google.  The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.

Upon completing an internal investigation into the matter on February 4, VMG contacted the New Jersey State Police and the FBI to report the security incident.  That same day VMG placed a request to remove the entire FTP Site from Google’s cache. Additionally, VMG went to each of the 462 VMG patient records it had found and identified on Google and, over a period of many hours, successfully removed them, one at a time, from Google.

The Division alleges that VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:

  • Failing to implement a security awareness and training program for all members of its workforce, including management.
  • Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP Site.
  • Improperly disclosing the protected health information (“PHI”) of its patients.
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and VMG’s violations of HIPAA’s Security Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the New Jersey Consumer Fraud Act.

In settling the Division’s investigation, VMG agreed to implement a Corrective Action Plan that that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission and receipt of ePHI in VMG buildings, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years.  VMG also agreed to pay a $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the Division’s attorneys’ fees and investigative costs.

Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.

Deputy Attorneys General Russell M. Smith, Jr. and Carla S. Pereira represented the State of New Jersey in this matter.

Follow the New Jersey Attorney General’s Office online at Twitter, Facebook, Instagram & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

spacer
spacer spacer spacer
spacer
 
News Index Page I top
 
Executive Assistant Attorney General
Attorney General's Message Ask the Attorney General
Contact OAG About OAG
OAG News OAG Frequently Asked Questions
OAG Library Employment
OAG Grants Proposed Rules
OAG History OAG Services A-Z
Statutes
OAG Agencies / Programs / Units
Other News Pages Otras Noticias en Español Division of NJ State Police Division of Law News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Gaming Enforcement News
NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News
   
Contact Us | Privacy Notice | Legal Statement | Accessibility Statement
NJ Home Logo
Departmental: OAG Home | Contact OAG | About OAG | OAG News | OAG FAQs
Statewide: NJ Home | Services A to Z | Departments/Agencies | FAQs
Copyright © State of New Jersey
This page is maintained by OAG Communications. Comments/Questions: email or call 609-292-4925
OAG Home OAG Home NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News Click to Enlarge Image Click to Enlarge Image Click to Enlarge Graphic Click to enlarge chart Click to enlarge map Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click on image to enlarge... Click on image to enlarge... Click to enlarge...Click to enlarge...Click to enlarge...Click to enlarge... Click to enlarge... click to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlarge click to enlarge