NJ AG Smacks Practice With Hefty Fine for Vendor BreachSettlement Spotlights Vendor Risks, Plus State Enforcement Trends
The New Jersey state attorney general has smacked a medical practice with a $418,000 penalty for a 2016 breach involving a vendor's misconfiguration of a file transfer protocol server that exposed health data of about 1,600 patients on the internet.
See Also: HIPAA Audits: A Revised Game Plan
Not only is the hefty settlement the latest example of a state attorney general taking an enforcement action in a case involving federal HIPAA violations, but the incident also spotlights why entities need to be proactive in assessing security risks posed by vendors.
The settlement involves Virtua Medical Group - a physicians network operating more than 50 medical practices in New Jersey - that engaged a vendor, Best Medical Transcription, to handle medical transcriptions for several VMG practices. Among other findings, the state says Best Medical Transcription allegedly failed to notify VMG of the security incident exposing the practice's patient data.
"The big lesson here is that the expectations under HIPAA for vendor management are very much in flux," says privacy attorney Adam Greene of the law firm David Wright Tremaine. The healthcare sector has been "hearing indications" from the Department of Health and Human Services' Office for Civil Rights that the federal HIPAA enforcement agency is potentially expecting more due diligence of vendors by covered entities than seen in the past.
In the meantime, "this shows that the state AGs may move even more aggressively in interpreting HIPAA as requiring significant oversight of vendors."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek says the NJ AG settlement potentially breaks new enforcement ground.
"The complaint by the NJ AG would greatly expand the obligations on a HIPAA covered entity by holding them responsible for assessing how contractors and vendors safeguard e-PHI," he says. "OCR has never interpreted the HIPAA rules to place an obligation on the covered entity to assess or directly monitor how a vendor or business associate carries out its obligations to protect e-PHI."
A spokeswoman for the NJ state attorney general declined to comment on whether the AG's office plans to also take enforcement action against Best Medical Transcription, the Georgia-based vendor at the center of the VMG breach.
The VMG breach was reported on March 11, 2016 to OCR as impacting 1,654 individuals, according to the HHS OCR HIPAA Breach Report Tool website - also commonly called the "wall of shame" - that lists health data breaches affecting 500 or more individuals.
The settlement between New Jersey's state AG and VMG is the latest HIPAA enforcement action taken by a state attorney general. Under the HITECH Act, state attorneys general were given authority to take enforcement action in cases involving HIPAA.
Besides the VMG case, New Jersey's attorney general in February signed a $1.1 million settlement with Horizon Blue Cross Blue Shield. At the center of that case was a 2013 breach impacting 840,000 individuals, including 690,000 New Jersey policyholders whose data was contained on two unencrypted stolen laptops.
Other states' attorneys general have also taken steps to enforce HIPAA. That includes New York, whose attorney general in March announced a $575,000 settlement with insurer Emblem Health in a HIPAA breach case involving health data exposed in paper mailings.
Settlement documents indicate that the breach impacting VMG patients occurred in January 2016, when Best Medical Transcription, hired by VMG to transcribe dictations of medical notes and reports by doctors at the three VMG practices, updated software on a password-protected FTP website where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP site to be accessed via the web without a password.
The state's investigation found that even after Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP site and restored the password protection, Google retained cached indexes of patient files which remained publically accessible on the internet.
The settlement notes that VMG had in place a business associate agreement with Best Medical Transcriptions which required any subcontractor to whom Best Medical Transcription provided VMG patient PHI to agree in writing to be bound by the same restrictions and conditions as in the BAA.
Under the agreement, Best Medical Transcription was also required to report any security incidents to VMG within 20 days.
VMG first became aware of the server mishap not from Best Medical Transcription, but rather from a patient in late January 2016, when the medical practice received a call from a patient indicating that portions of her VMG medical records were discovered on Google, settlement papers say. The state's investigation found that at that time, VMG was unaware of the source of the leaked information viewed on the web because Best Medical Transcription had not notified the practice of the security breach.
Settlement documents note that state investigators found that after the FTP site became unsecured, anyone who searched Google using search terms contained within the dictation information, such as patient names or medical terms, was able to access and download the documents located on the misconfigured site.
The state's investigation also found that VMG was unaware until February 2016 that Best Medical Transcription had subcontracted with a New Delhi, India-based company to perform medical transcription services for the VMG practices that were impacted in the breach.
The state concluded that VMG violated multiple laws, including the New Jersey's Consumer Fraud Act, as well as several provisions of the HIPAA rules.
Among HIPAA violations identified included VMG failing to conduct an accurate and thorough risk assessment of the potential risks to electronic PHI it held and transmitted to a third-party vendor; failure to implement security measures to reduce those risks; and failure to implement a workforce security training program.
In addition to the financial settlement, VMG has agreed to a corrective action plan that includes engaging an independent third-party to conduct a risk analysis - including of policies and practices for transmitting and receiving ePHI; and VMG revising its current policies and procedures based on the findings of the analysis.
"Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server," said Gurbir Grewal, NJ state attorney general in a statement about the settlement with VMG.
The medical practice's duty to safeguard patient data also extends to managing risks posed by vendors, says the state's consumer affairs office.
"Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it," said Sharon Joyce, NJ acting director of the division of consumer affairs in a statement. "This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well."
VMG did not immediately respond to an Information Security Media Group request for comment.
Managing Vendor Risk
While the New Jersey cited VMG for failure to conduct a thorough and current security risk analysis, some experts says it's also important for entities to regularly assess the risks posed by their vendors that handle PHI.
"Regardless of whether you've had a vendor for several years already, or are just considering getting [a new] one, do an assessment to see the kinds of controls they have in place and to see the kind of privacy and security program that have actually implemented," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, in a recent interview.
In addition,"make sure you collect actual verifiable evidence that they're actually doing what they say they do, she stresses.
Mistakes involving misconfigured servers are a recurring problem that's often seen in other health data security incidents, including at least one other enforcement case.
The Federal Trade Commission several years ago entered into consent agreement with medical transcription company GMR Transcription in a case involving a misconfigured FTP site that exposed sensitive health information of several dozen physician practices to be viewable on the internet.
The HHS wall of shame is also dotted with a number of major breaches involving misconfigured servers and similar mishaps (see Misconfigured Server Exposes Patient Data).