Virtua fined 418,000 for patient data breach

The data breach of more than 1,600 medical patient files will cost nonprofit Virtua Medical Group almost $418,000, according to a settlement announced Monday by Attorney General Gurbir Grewal and the New Jersey Division of Consumer Affairs.

Marlton-based Virtua Medical Group, a network of physicians affiliated with more than 50 South Jersey medical and surgical practices, agreed to pay $417,816 and improve data security practices. The settlement follows allegations Virtua Medical patient records became viewable online due to a server misconfiguration by a private vendor.

The data breach involved three Virtua facilities in Hainesport and Voorhees in January 2016. Potentially affected patients were notified in early March 2016.

Officials said the privacy breach occurred when Best Medical Transcription, a Georgia-based vendor, updated software on a password-protected website. During the update, the vendor accidentally misconfigured the web server, making content accessible without a password.

Afterwards, anyone using certain search-engine keywords could access the records.

“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon Joyce, acting director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.”

In the settlement, VMG agreed to implement a corrective action plan that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission and receipt of electronic protected health information.