The breach of more than 1,650 patients’ medical information will cost a defunct Georgia consulting company $200,000 and its rights to run a business in New Jersey.
ATA Consulting LLC, operating as Best Medical Transcription, settled allegations related to a 2016 security lapse that made public—through Google web searches—the medical records of 1,654 patients treated by Virtua Medical Group doctors, the New Jersey Attorney General’s Office said Nov. 2.
The $200,000 settlement with New Jersey resolves the alleged violations to the federal Health Insurance Portability and Accountability Act concerning patient information and the New Jersey Consumer Fraud Act, the attorney general’s office said.
The breach exposed the names and medical diagnoses of patients treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and the Virtua Pain and Spine Specialists, both located in Voorhees.
“Virtua Medical Group recognizes and appreciates the state’s thoroughness in advocating for the privacy of New Jersey residents’ medical records,” the health system said in a statement Nov. 2.
The medical group “immediately stopped working with Best Medical Transcription when the information breach was discovered.” It has taken additional steps to protect privacy, the statement continued.
The security breach occurred in January 2016 through a server misconfiguration. Best Medical Transcription was contracted by the three Virtua Medical Group practices to transcribe dictations of medical notes, letters, and reports. The records became publicly accessible after doctors at the practices completes a software update. The update eliminated the use of password protection to access the documents.
Patients were notified of the breach in March 2016 after a woman found her own medical records online through a simple google search, the attorney general’s office said.
In April, Virtua Medical Group paid more than $417,000 to improve its data protection protocol.
Best Medical Transcription dissolved in 2017 and its owner, Tushar Mathur, agreed to no longer be a business owner in New Jersey.
