In N.J., Data Holders Liable for Breaches Caused by Third-Party UsersApril 5, 2018 | Nancy A. Del Pizzo |
New Jersey holders of individuals’ personal and confidential information are on alert that it is not enough to secure the data stored and/or used on their own platforms if that data is also accessed by a third party.
On March 1, 2018, the Superior Court of New Jersey entered a Final Consent Judgment (the “Consent Judgment”) requiring Virtua Medical Group, P.A., (VMG) to pay more than $400,000 and improve its data security practices, including its attention to the data security practices of third-party vendors to whom VMG entrusts its patients’ information.
VMG, a network of physicians affiliated with more than 50 New Jersey medical and surgical practices, experienced a breach of patient data in 2016. The breach resulted in 1,654 patients’ medical information becoming freely accessible on the internet, according to a press release issued on April 4, 2018 by the N.J. Department of Law & Public Safety Office of the Attorney General. But VMG did not cause the breach. Instead, it occurred when the server of VMG’s third-party vendor, ATA Consulting LLC d/b/a Best Medical Transcription (BMT), became misconfigured.
BMT had subcontracted with New Delhi, India-based Tojo-Vikas International Pvt. Ltd. (Tojo) to provide medical transcription services for its customers, including for VMG, according to the Consent Judgment. The breach is believed to have occurred when a File Transfer Protocol site set up for BMT to upload files for Tojo’s use was inadvertently reconfigured during a software update, according to the Consent Judgment. When the breach occurred, it became possible for an individual searching on Google to download patient files by inputting patient names, doctor names, or the affected VMG practice names.
The claims the State of New Jersey lodged against VMG included violations of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the Department of Health and Human Services Regulations, 45 C.F.R. § 160 et seq. (collectively, HIPAAand violations of New Jersey’s powerful Consumer Fraud Act, N.J.S.A § 56:8-2. The State of New Jersey also alleged that VMG failed to conduct an assessment of BMT to uncover potential risks or vulnerabilities regarding the electronic protected health information (ePHI) it provided to BMT.
Notably, as the press release states, VMG was held accountable because even though its third-party vendor had caused the breach, the data that was breached was VMG’s patient data, and under HIPAA, VMG is responsible to protect it.
In addition to the substantial monetary settlement, VMG agreed to corrective actions requiring it to hire an independent third party for each of several years to, among other tasks, “conduct a risk analysis of security risks and vulnerabilities to patient ePHI in VMG facilities, including policies and practices for handling, containing, storing , transmitting and /or receiving ePHI and a review of the actions that are the subject” of the Consent Judgment. VMG must submit formal reports and revise its policies and procedures based on those findings.
The lesson learned is the importance of concentrating efforts not only to ensure that internal practices and procedures are effectively securing electronic platforms, but also to ensure that third-party vendors and/or consultants are capable of effectively securing all confidential information shared for those business purposes.
- Nancy A. Del Pizzo