By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    benefits of using protein powder to build muscles
    Protein Powder for Muscle Mass: Everything You Need to Know
    December 12, 2021
    changes brought on by blockchain in healthcare
    Technology In The Healthcare Industry
    March 28, 2022
    What Does Core Body Temperature Say About Health?
    August 17, 2022
    Latest News
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
    5 Steps to a Promising Career as a Healthcare Administrator
    August 3, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Health Insurers’ Rate Increases Being More Scrutinized
    May 22, 2011
    AMA Meets at Policy Confab, Preps Vote on Reform Provision
    June 20, 2011
    Conservatives: The Utah Health Exchange is Not a Model
    July 23, 2011
    Latest News
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
    How IT and Marketing Teams Can Collaborate to Protect Patient Trust
    July 17, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Organization fined $418,000 for business associate HIPAA breach
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Medical Ethics > Organization fined $418,000 for business associate HIPAA breach
eHealthMedical EthicsMedical RecordsPolicy & Law

Organization fined $418,000 for business associate HIPAA breach

Brad Spannbauer
Brad Spannbauer
Share
7 Min Read
SHARE

 

Contents
  • A harsh settlement and a stark reminder
  • 3 questions healthcare organizations need to ask their BAs

Virtua Medical Group – a physician network –  has been fined $418,000 by the New Jersey Attorney General’s Office for failing to safeguard electronic protected health information (ePHI) belonging to more than 1,650 patients.

The data breach occurred following misconfiguration of a database held by one of Virtua’s business associates, Best Medical Transcription. The third-party vendor had been contracted by Virtua to transcribe sensitive data held within medical notes, reports, and letters.

The transcribed notes containing sensitive data were uploaded to a password-protected website at Best Medical Transcription; however, password protection had accidently been removed in January 2016 during a software update. This slip-up caused patient data to become readily available, without any need for authentication. Worse still, content from the vendor’s server wound up being indexed by search engines and could easily be found by simply searching for any terms contained within the notes online.

More Read

Image
Removing the Digital Content Barriers
Mobile Health Around the Globe: Synappz App Helps Organize Urinary Intake & Output
Remote Doctor Consultations –Not Quite Ready for Prime Time
The Most Interesting Man Revolutionizing the Health World
Healthcare.Gov Lets Consumers Monitor Health Insurance Rates

Best Medical Transcription became aware of the lapse in password protection and a potential breach, but it did not notify Virtua Medical Group that data had been exposed.

A harsh settlement and a stark reminder

The Attorney General ruled that there had been multiple accounts of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, subjecting Virtua to the ruling, despite the fact that the breach technically affected one of its business associates.

Virtua was chastised for failing to conduct a thorough risk analysis of its business associate (BA), Best Medical Transcription, and as a result, electronic Protected Healthcare Information (ePHI) was communicated at the cost of patient confidentiality. Furthermore, the medical group was also condemned for implementing inadequate security measures to reduce the risk potential. The investigation also revealed that Virtua didn’t have a security awareness and training program for staff in place, and there had been “unacceptable delays” in identifying and responding to the data breach.

In a statement, the Attorney General said “Electronically stored data is vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken”.

In addition to the financial penalty of $418,000, Virtua Medical Group has agreed to undertake a robust corrective action plan which includes hiring a third-party security professional to conduct a comprehensive risk analysis relating to the company’s handling, transmission, and storage of ePHI, and to perform further risk assessments every two years.

This enforcement action should serve as a stark reminder for healthcare providers (known under HIPAA as ‘covered entities’) to thoroughly vet their third-party vendors to ensure security best practices are being followed, and sensitive data remains protected at all times. Failure to comply can result in significant financial and reputational damage. HIPAA covered entities must remain mindful of their vendors and BAs, ensuring they are compliant before giving them any access to sensitive data.

This action may also indicate a trend towards increased enforcement of HIPAA by the states.  Most of the enforcement actions that come to the public’s attention are brought by the federal department of health and human services office of civil rights (HSS-OCR). However, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA in 2013, state attorney generals now have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. And some state privacy laws are even stricter than the federal legislation.

3 questions healthcare organizations need to ask their BAs

  1. Does the vendor identify themselves as a Business Associate?
    Clarity is key when dealing with third-party organizations. If a vendor is providing services that require exchange of PHI and/or ePHI, it is vital that they recognize themselves as a BA, and be willing to sign a BAA. In the eyes of the regulator, if a third party creates, receives, maintains, or transmits ePHI, they are a BA whether they realize it or not.  HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information (see 45 C.F.R. §164.308(b)).  Consequently, if a healthcare provider exchanges ePHI with a BA without first having signed a BAA, they are not in compliance with HIPAA.2. How and where will sensitive data be stored, accessed, and shared?
    It is essential to understand how BAs collect, store, process and transfer ePHI, as well as how they protect that ePHI from unauthorized access.  A signed business associate agreement should be in place for both parties, contractually outlining in detail how sensitive data will be managed.

    Additionally, it is a good idea to understand how a BA goes about vetting, training, and educating its employees – after all, policies and procedures are only as good as the employees who are implementing them. Ultimately, the covered entity is responsible for protecting patient data, and if the BA fails to provide adequate security, it is the covered entity that will be held responsible.

  2. Is there an incident response plan in place?
    No organization is immune from a data breach. Therefore, it’s important that the BA has planned ahead and accounted for any potential contingencies with a detailed incident response plan. This should include mandated provisions to notify the covered entity as soon as possible of any potential security gaps or events.

Online faxing service, eFax Corporate helps ensure your online faxing complies with the strictest mandates of HIPAA. Click here to discover how eFax Corporate® helps keep your faxes HIPAA compliant.

Share This Article
Facebook Copy Link Print
Share
By Brad Spannbauer
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. To find out more visit https://enterprise.efax.com/

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025
engineer fitting prosthetic arm
How Social Security Disability Shapes Access to Care and Everyday Health
Health care
August 20, 2025
a woman explaining the document
How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
Public Health
August 20, 2025

You Might also Like

New Administration Wellness Strategy

July 27, 2011

Interview with Paul Wicks, PatientsLikeMe, Keynote Speaker at Doctors 2.0 & You Conference

February 16, 2012
FitnessHealth carePublic Health

Learn About Anxious Eating And How To Stop It In 5 Steps

April 28, 2020
google glass
eHealthMedical InnovationsMobile HealthTechnology

Technology Innovations That Are Changing the Face of Health Care

November 6, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?