For failing to protect the privacy of its patients, Virtua Medical Group, composed of hundreds of South Jersey doctors, has agreed to pay $418,000 and improve data security protocols, state officials announced Wednesday.
In January 2016, the daughter of a patient found portions of her mother's medical records online while doing a Google search. An investigation found that confidential records for more than 1,650 patients were left unsecured after one of the medical group's vendors updated its commercial software and reconfigured its computer server. The move rendered the files, which were cached by Google, to be publicly exposed and viewed by anyone without a password.
The group, an alliance of doctors affiliated with Virtua Health, was blindsided by the breach and agreed to the settlement with the state on March 1. The settlement document described the breach as an "unconscionable commercial practice."
The vendor, Best Medical Transcription of Georgia, had been hired to transcribe notes, letters and reports from patients who had been treated by Virtua gynecologic oncology specialists in Voorhees, the Virtua Surgical Group in Hainesport, and Virtua Pain and Spine Specialists in Voorhees. The records were removed from the internet. VMG severed its contract with the transcription company.