New Jersey reaches $200,000 settlement for 2016 data breach

The now-defunct Georgia-based company responsible for a 2016 security lapse that allowed the public to view online the patient records of more than 1,650 individuals treated by doctors with Virtua Medical Group (VMG) has reached a $200,000 settlement with the state of New Jersey. 

According to the state’s press release, ATA Consulting LLC, at the time known as Best Medical Transcription, violated HIPAA and the New Jersey Consumer Fraud Act due to a server misconfiguration in January 2016 that exposed the protected health information (PHI), including names and medical diagnoses, of patients with VMG, which is a network of medical and surgical practices in southern New Jersey.

Best Medical Transcription was contracted to transcribe dictations of medical notes, letters, and doctors’ reports at three VMG practices. Transcribed documents were stored on a password-protected file transfer protocol (FTP) website. The breach occurred during a software update when Best Medical Transcription unintentionally misconfigured the web server, which allowed the FTP site to be accessed without a password. Once the FTP site was unsecure, information from documents on the site could be found through internet searches of patient names, doctor names, or their medical conditions, and documents could be downloaded from the site without permission.

After its investigation, the state alleged that Best Medical Transcription’s role in the data breach included the following HIPAA violations:

• Failing to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held
• Failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule
• Failing to implement policies and procedures to protect ePHI from improper alteration or destruction
• Failing to notify VMG of the breach of unsecured PHI
• Improperly using and/or disclosing ePHI in contravention of its obligations under its Business Associate Agreement with VMG

In addition to the civil penalties, Tushar Mathur, the owner of Best Medical Transcription, is permanently barred from managing or owning a business in New Jersey. Best Medical Transcription dissolved as a business in June 2017.

Earlier this year, VMG agreed to pay more than $417,000 in civil penalties to the state and to improve its data security practices in a settlement over allegations that it failed to analyze the risk to the PHI it sent to Best Medical Transcription.