On October 30, 2018 the New Jersey Attorney General entered into a Final Consent Judgment with ATA Consulting, doing business as Best Medical Transcription, and its owner, Tushar Mathur (collectively “Defendants”), resolving a 2016 security breach that resulted in the publication of personal health information of over 1,600 New Jersey residents. As a result of the Consent Judgment, Defendants were fined $200,000 and Mr. Mathur was permanently banned from managing or owning a business in New Jersey.
At the time of the security breach, Best Medical Transcription was under contract with Virtua Medical Group (“Virtua”) to provide transcription of dictated medical notes, letters, and reports. Virtua provided dictation of the notes through a telephone recording service. Upon receiving these audio recordings, Best Medical Transcription subcontracted with an Indian business to perform the transcription services and utilized a password-protected File Transfer Protocol (“FTP”) site to make the files available.
On January 1, 2016, a software update on the FTP site inadvertently removed the password protection, resulting in the data becoming publicly-available. A Google web crawler indexed the FTP site and, as a result, a Google search for any terms in the audio file such as a patient’s name would lead to a link where the entire audio file could be downloaded. On January 15, 2016, Mr. Mathur learned of the issue and reset the password protection. He did not notify Virtua of the fact that for two weeks, highly confidential medical records had been publicly-available. Three weeks after the software update, Virtua received notice that a patient’s daughter had located part of her gynecological oncology medical records on Google.
The New Jersey Attorney General alleged that Defendants violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the New Jersey Consumer Fraud Act (“CFA”) by failing to conduct accurate and thorough risk assessments, failing to implement sufficient security measures, failing to implement policies and procedures to protect electronic personal health information (“ePHI”), failing to notify Virtua of the breach, and improperly using or disclosing ePHI in contravention of its contract with Virtua. This settlement with ATA Consulting followed an April 2018 Final Consent Judgment between New Jersey and Virtua where Virtua agreed to pay over $400,000 and improve its data security practices.
The settlement with Defendants is noteworthy for its provision banning Mr. Mathur from managing or owning a business in New Jersey. Additionally, New Jersey followed Federal Trade Commission (“FTC”) practice, seen in recent settlements with Uber Technologies, Inc., BLU Products, Inc., and Lenovo Inc., of imposing substantial penalties on Virtua for a data breach resulting from vendor actions. The lesson from these settlements is clear: state attorneys general are keeping a watchful eye on protection of ePHI under HIPAA, and even a two-week lapse in security practices can have grave effects on an organization.