Privacy & Cybersecurity Law Blog

On October 30, 2018, ATA Consulting LLC (doing business as Best Medical Transcription) agreed to a $200,000 settlement with the New Jersey Attorney General resulting from a server misconfiguration that allowed private medical records to be posted publicly online. The fine was suspended to $31,000 based on the company’s financial condition. Read the settlement.

The New Jersey Attorney General’s investigation found that a patient had discovered that a Google search revealed portions of her medical records, which were viewable without a password. The patient notified her medical provider, Virtua Medical Group (“Virtua”), which used medical record transcription services provided by Best Medical Transcription. The investigation concluded that a software update changed certain security restrictions previously implemented by Best Medical Transcription and permitted anonymous access (i.e., no password required) to the site where files containing patient medical information were stored. This misconfiguration permitted anyone to conduct a Google search to locate and download the complete files. The investigation found that approximately 1,650 records were exposed on the Internet in this manner.

In addition to the settlement payment, Best Medical Transcription was enjoined from committing future violations of various privacy and security requirements, including HIPAA, the Security Rule, the Breach Notification Rule and the Privacy Rule. Virtua previously agreed to pay a $418,000 fine and enhance its data security practices in connection with the incident.