By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    healthcare cybersecurity
    4 Helpful Tips on How to Protect Your Medical Practice Against Cyber Attacks
    October 24, 2021
    Health Check Diagnosis Medical Condition Analysis Concept
    6 Health Woes With Online Remedies
    January 19, 2022
    Eight Things Men Should Know About the Male Menopause
    Eight Things Men Should Know About the Male Menopause
    April 24, 2022
    Latest News
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
    The Wide-Ranging Benefits of Magnesium Supplements
    June 11, 2025
    The Best Home Remedies for Migraines
    June 5, 2025
    The Hidden Impact Of Stress On Your Body’s Alignment And Balance
    May 22, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    healthy nursing school habits
    Healthy Habits for Nursing Student Nursing School Students
    May 24, 2024
    High Deductables
    High-Deductible Insurance and Rising Bad Debt
    July 24, 2015
    How People Are Taking Advantage of Health Deals in the Recent Recession
    February 5, 2021
    Latest News
    Top HIPAA-Compliant Messaging Apps for Healthcare Teams
    June 25, 2025
    When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
    June 20, 2025
    Preventing Contamination In Healthcare Facilities Starts With Hygiene
    June 15, 2025
    Strengthening Healthcare Systems Through Clinical and Administrative Career Development
    June 13, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Organization fined $418,000 for business associate HIPAA breach
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Medical Ethics > Organization fined $418,000 for business associate HIPAA breach
eHealthMedical EthicsMedical RecordsPolicy & Law

Organization fined $418,000 for business associate HIPAA breach

Brad Spannbauer
Last updated: May 22, 2018 11:28 pm
Brad Spannbauer
Share
7 Min Read
SHARE

 

Contents
A harsh settlement and a stark reminder3 questions healthcare organizations need to ask their BAs

Virtua Medical Group – a physician network –  has been fined $418,000 by the New Jersey Attorney General’s Office for failing to safeguard electronic protected health information (ePHI) belonging to more than 1,650 patients.

The data breach occurred following misconfiguration of a database held by one of Virtua’s business associates, Best Medical Transcription. The third-party vendor had been contracted by Virtua to transcribe sensitive data held within medical notes, reports, and letters.

The transcribed notes containing sensitive data were uploaded to a password-protected website at Best Medical Transcription; however, password protection had accidently been removed in January 2016 during a software update. This slip-up caused patient data to become readily available, without any need for authentication. Worse still, content from the vendor’s server wound up being indexed by search engines and could easily be found by simply searching for any terms contained within the notes online.

More Read

The Yoga Nurse
The Yoga Nurse: Annette Tersigni [PODCAST]
Healthcare Data Breaches Up 32%
The Persistence of Demand for Cosmetic Procedures
What Is Interoperability and Why Is It Important in Healthcare?
Social Media Networking: Twitter Chat with Sharecare’s Sleep Experts

Best Medical Transcription became aware of the lapse in password protection and a potential breach, but it did not notify Virtua Medical Group that data had been exposed.

A harsh settlement and a stark reminder

The Attorney General ruled that there had been multiple accounts of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, subjecting Virtua to the ruling, despite the fact that the breach technically affected one of its business associates.

Virtua was chastised for failing to conduct a thorough risk analysis of its business associate (BA), Best Medical Transcription, and as a result, electronic Protected Healthcare Information (ePHI) was communicated at the cost of patient confidentiality. Furthermore, the medical group was also condemned for implementing inadequate security measures to reduce the risk potential. The investigation also revealed that Virtua didn’t have a security awareness and training program for staff in place, and there had been “unacceptable delays” in identifying and responding to the data breach.

In a statement, the Attorney General said “Electronically stored data is vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken”.

In addition to the financial penalty of $418,000, Virtua Medical Group has agreed to undertake a robust corrective action plan which includes hiring a third-party security professional to conduct a comprehensive risk analysis relating to the company’s handling, transmission, and storage of ePHI, and to perform further risk assessments every two years.

This enforcement action should serve as a stark reminder for healthcare providers (known under HIPAA as ‘covered entities’) to thoroughly vet their third-party vendors to ensure security best practices are being followed, and sensitive data remains protected at all times. Failure to comply can result in significant financial and reputational damage. HIPAA covered entities must remain mindful of their vendors and BAs, ensuring they are compliant before giving them any access to sensitive data.

This action may also indicate a trend towards increased enforcement of HIPAA by the states.  Most of the enforcement actions that come to the public’s attention are brought by the federal department of health and human services office of civil rights (HSS-OCR). However, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA in 2013, state attorney generals now have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. And some state privacy laws are even stricter than the federal legislation.

3 questions healthcare organizations need to ask their BAs

  1. Does the vendor identify themselves as a Business Associate?
    Clarity is key when dealing with third-party organizations. If a vendor is providing services that require exchange of PHI and/or ePHI, it is vital that they recognize themselves as a BA, and be willing to sign a BAA. In the eyes of the regulator, if a third party creates, receives, maintains, or transmits ePHI, they are a BA whether they realize it or not.  HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information (see 45 C.F.R. §164.308(b)).  Consequently, if a healthcare provider exchanges ePHI with a BA without first having signed a BAA, they are not in compliance with HIPAA.2. How and where will sensitive data be stored, accessed, and shared?
    It is essential to understand how BAs collect, store, process and transfer ePHI, as well as how they protect that ePHI from unauthorized access.  A signed business associate agreement should be in place for both parties, contractually outlining in detail how sensitive data will be managed.

    Additionally, it is a good idea to understand how a BA goes about vetting, training, and educating its employees – after all, policies and procedures are only as good as the employees who are implementing them. Ultimately, the covered entity is responsible for protecting patient data, and if the BA fails to provide adequate security, it is the covered entity that will be held responsible.

  2. Is there an incident response plan in place?
    No organization is immune from a data breach. Therefore, it’s important that the BA has planned ahead and accounted for any potential contingencies with a detailed incident response plan. This should include mandated provisions to notify the covered entity as soon as possible of any potential security gaps or events.

Online faxing service, eFax Corporate helps ensure your online faxing complies with the strictest mandates of HIPAA. Click here to discover how eFax Corporate® helps keep your faxes HIPAA compliant.

Share This Article
Facebook Copy Link Print
Share
By Brad Spannbauer
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. To find out more visit https://enterprise.efax.com/

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

women dental care
What Is a Smile Makeover and How Much Does It Cost?
Dental health
June 30, 2025
HIPAA-Compliant Messaging Apps
Top HIPAA-Compliant Messaging Apps for Healthcare Teams
Global Healthcare Policy & Law Technology
June 25, 2025
recovering from injury
Rebuilding After Injury: Path to Physical and Emotional Recovery
News
June 22, 2025
scientist using microscope
When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
Global Healthcare
June 18, 2025

You Might also Like

Image
BusinessHealth ReformPolicy & Law

Paying for Care

March 12, 2013

eHealth collaborative brings health information technology home

October 29, 2015

Nearly One-Third of All Workers Now in Consumer-Driven Health Plans

October 26, 2011

GOP Leaks Preliminary Details on Medicaid Reform Plans

April 2, 2011
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?