Virtua Medical Group, a South Jersey firm with dozens of medical and surgical practices, has agreed to pay $417,816 to settle a complaint that it exposed medical records of more than 1,650 patients on the internet.
The exposure of patient names, medical diagnoses and prescriptions of patients when Virtua contracted Georgia-based Best Medical Transcription to transcribe dictations of medical notes, letters, and reports by doctors at three Virtua practices, the state Attorney General’s office said Wednesday.
The transcription firm incorrectly configured its server and allowed the information to be accessed without a password, authorities said.
Virtua learned of the issue when it received a call from a patient in January 2016, authorities said. The patient found her medical information online after conducting a Google search.
Virtua then investigated and learned other patients’ information was publicly available. Soon after, the company reported the data breach to the FBI and State Police.
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” Division of Consumer Affairs acting director Sharon M. Joyce said in a statement. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
As part of the settlement, Virtua will hire a third-party to monitor its online security protocols.
The patients were treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.
Virtua’s attorney, Ted Kobus of New York City-based firm Baker Hostetler, didn’t immediately return a message seeking comment.