Medical Group Settles with New Jersey Attorney General for Health Data Privacy Breach Caused by Its Vendor’s Misconfigured FTP Site: Reminder of the Need to Conduct Vendor Due Diligence

By Thora A. Johnson, Brian E. Extein & Jami Vibbert on April 16, 2018

Posted in Data Breach, Data Privacy & Security, Digital Health

On April 4, 2018, the New Jersey Attorney General’s office announced a settlement with a large network of physicians affiliated with medical and surgical practices throughout New Jersey (the “Medical Group”) for health privacy and security violations related to a breach of more than 1,650 patient records. The settlement for violations of the federal Health Insurance Portability and Accountability Act and its associated regulations (“HIPAA”) and New Jersey state law requires the Medical Group to pay $417,816 and implement a corrective action plan, including a comprehensive and thorough risk assessment, to improve its data privacy and security practices.

The breach occurred when its medical transcription company, an unrelated subcontractor with whom the Medical Group maintained a HIPAA business associate agreement, updated a file transfer protocol (“FTP”) site used for medical information storage. In the process of implementing the update, the medical transcription company mistakenly removed password protection and allowed sensitive patient records to be accessed on the open internet. Without the password protection in place, patient records could be accessed through Google searches for terms contained in the records themselves, as a web crawler from Google crawled and indexed the FTP site using an algorithmic process.

A patient discovered the breach when she found portions of her own medical records through a Google search. The Medical Group then launched an internal investigation and notified state and federal law enforcement authorities.

The State of New Jersey has made it clear that it holds the Medical Group responsible for the breach, even though it was caused by a subcontractor. The Acting Director of the New Jersey Division of Consumer Affairs stated:

Although it was a third-party vendor that caused this data breach, [Medical Group] is being held accountable because it was their patient data and it was their responsibility to protect it….This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.

It is no longer sufficient, if it ever was, for a covered entity (or upstream business associate) to rely solely on “satisfactory assurances” obtained pursuant to a written HIPAA business associate agreement that the business associate (or downstream business associate) will appropriately safeguard the health information shared with it. This settlement clearly signals the need to vet a new vendor’s security practices and to continue ongoing vendor management and oversight during the course of the business relationship.

Venable’s healthcare practice group is continuously monitoring these issues and tracking the latest developments. Please contact your Venable attorneys with any questions.