Virtua Medical Group, one of southern New Jersey’s largest health care providers, will pay more than $400,000 in fines and penalties in order to settle claims that it failed to properly protect the privacy of patients whose medical records were made available online, The New Jersey Law Journal reports.
In addition to paying the state $417,816, Virtua will move internally to enhance its data security practices, the statement said.
Virtua, headquartered in Marlton, agreed to the settlement after a Division of Consumer Affairs investigation concluded that the company failed to comply with federal health care data security standards and publicly exposed the medical information, including patient names, medical diagnoses and prescriptions, of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.
The release of the information, which occurred in January 2016, was caused by a badly configured server, the Attorney General’s Office said.
The DCA alleged that Virtua’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronically protected health information it sent to a third-party vendor, and it failed to appropriately implement security measures to reduce that risk, thus violating the federal Health Insurance Portability and Accountability Act.
Virtua released a statement after the state’s announcement.
“[Virtua] was made aware that a transcription vendor had inadvertently allowed patient information to be accessible via an internet search engine,” the statement said. “VMG addressed the issue, notified patients who were potentially impacted, and complied with its federal and state reporting obligations. VMG ceased working with the … service immediately after the issue was discovered. VMG is committed to protecting the security and confidentiality of our patients’ information and regrets that this incident occurred.”
