A recent breach of medical records caused by an accidental upload of 1,654 medical records left patients’ protected health information publicly available—indexed and searchable on Google, according to Healthcare IT News. According to the article, a password protection function was removed during a software update for the FTP site involved, leading to the breach. Medical transcription company Best Medical Transcription (Best Medical), now defunct, is paying a $200,000 settlement and the owner of the company is barred from ever owning or managing another business in the state of New Jersey.
In January of 2016, the transcription vendor Best Medical uploaded 1,654 files through an FTP vendor on behalf of Virtua Medical Group (VMG), a network of physicians. The authentication code normally needed to upload such files was not required in this case because a software update left that requirement absent. After the breach, VMG ended its contract with Best Medical and paid a $418,000 fine to the New Jersey Attorney General (AG).
The New Jersey AG determined that VMG did not conduct a thorough risk analysis of the confidentiality of patient sent to its transcriptionist, nor did it implement the proper security features to reduce the associated risk, Healthcare IT News reported.
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, acting director of the division of consumer affairs, in the New Jersey AG’s office, in a statement.
VMG was also found guilty of additional HIPAA violations, according to the statement:
- Failing to implement a security awareness and training program for all members of its workforce, including management.
- Being delayed in identifying and responding to the security incident, mitigating its harmful effects, and documenting the incident and its outcome.
- Failing to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information maintained on the FTP site.
- Improperly disclosing the protected health information of its patients.
- Failing to maintain a written or electronic log of the number of times the FTP site was accessed.