ATA Consulting, which conducted business as Best Medical Transcription, agreed to pay $200,000 to settle allegations it violated HIPAA and the New Jersey Consumer Fraud Act after a breach in 2016.
Here are six things to know about the settlement:
1. ATA Consulting and its owner, Tushar Mathur, entered into the settlement with New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs to resolve allegations arising from a 2016 breach, in which the vendor allegedly allowed the public to view online records of patients from Virtua Medical Group, a network of medical and surgical practices in southern New Jersey.
2. Physicians at three VMG practices had contracted Best Medical Transcription to transcribe dictations of medical notes, letters and reports. In 2016, Best Medical Transcription updated its software on a password-protected website that stored the transcribed documents. During the update, the vendor unintentionally misconfigured the web server, allowing the site to be publicly viewable.
3. As a result of the server misconfiguration, the private health information — including names and medical diagnoses — of up to 1,654 patients treated at VMG practices was publicly exposed online. Subsequently, those who conducted web searches for terms included in the dictation information, such as patient names, were able to find portions of the exposed records online.
4. In April 2018, VMG agreed to pay $417,816 to settle allegations it failed to secure these patients' medical records when they were made accessible online. At the time, the New Jersey Division of Consumer Affairs alleged VMG had not conducted a thorough analysis of the risk associated with electronically sharing protected health information with Best Medical Transcription.
5. Best Medical Transcription, which was based in Georgia, dissolved as a business in June 2017, an act it said was independent of New Jersey's investigation. Along with paying the fine, Mr. Mathur also agreed to a permanent ban on managing or owning a New Jersey business. Mr. Mathur said he would no longer serve as an officer or trustee, among other positions, of any corporation in the state.
6. The $200,000 settlement amount comprises $191,492 in civil penalties and an $8,508 fine to reimburse the state for attorney fees and investigative costs.
"Patient privacy laws don't just apply to doctors, they also apply to vendors like Best Medical Transcription," said Paul R. Rodríguez, acting director of the New Jersey Division of Consumer Affairs. "Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards."