After the Virtua Medical data breach in 2016, Best Medical Transcription (BMT) has agreed to a $200,000 settlement with the state of New Jersey.

In early January 2016, Virtua Medical Group discovered that transcription records were viewable on the internet if searched by a search engine.  The records that were accessible dated back to 2011 for Virtua Gynecologic Oncology Specialists, Medford Surgical Services, and Virtua Pain and Spine.  This issue was caused by a server that was unintentionally misconfigured during an upgrade.

Now, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced a settlement that BMT has agreed to.  Not only does BMT have to pay $200,000, the owner of the company will not be able to run a business in New Jersey ever again.

A statement from Attorney General Gurbir S. Grewal specifically states that this was meant to be an example for all companies.  He said that this “action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable.”

This is one of the rare instances when a business associate was fined for a breach. The acting director of the Division of Consumer Affairs said, “Patient privacy laws don’t just apply to doctors, they also apply to vendors like Best Medical Transcription, which provided medical transcription services to Virtua Medical Group. Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

Business associates must conduct risk assessments and implement safeguards to help protect patients’ information.  Covered entities should be working with their business associates to ensure these steps are being taken.

One step a covered entity or business associate might take to help prevent this type of a situation would be to conduct a penetration test. Many penetration tests are conducted so that the low hanging fruit is tested, but not all vulnerabilities are exploited. There is no guarantee that this vulnerability would be found if there is a more significant vulnerability to try to exploit, but the likelihood of finding it is much higher than not conducting a test at all.

To learn about other steps you can take, as either a business associate or a covered entity, join HIPAAgps today.