Just a few days ago The Attorney General of New Jersey brought the hammer down on an off-shore medical transcription vendor that neglected to report a HIPAA breach. Mistakes were made during a software update, the breach was never reported, 1600 patients had their Protected Health Information in the public web domain and The State of New Jersey officially lost it’s garbage (I want to use another word but I’m trying to keep it appropriate, you’re welcome). It’s a lot of info, so I’ve broken this down and made it as easily consumable as possible, please feel free to pause for dramatic effect after each sentence.
Virtua Medical Group is physician network group based in New Jersey. They operate over 50 medical practices.
Virtua Medical Group engaged the services of an offshore medical transcription company called Best Medical Transcription. Best Medical Transcription is also known as ATA Consulting, LLC. The work force engaged by this company is based in India.
During a routine software update at Best Medical Transcription, a web server was misconfigured which allowed the PHI (Protected Health Information) of over 1,600 patients to be exposed via Google search. In fact, this is how the breach was discovered - a patient’s daughter came across her mothers PHI during a google search.
According to the BAA (Business Associate Agreement), Best Medical Transcription had 20 days to report the breach to Virtua Medical Group.
They didn’t report it.
And that’s not all.
Best Medical Transcription also neglected to inform Virtua Medical Group that they had subcontracted with another firm located in New Delhi, India called Tojo Vikas International.
This means that PHI was being handled by an additional off-shore workforce that Virtua Medical Group had absolutely no knowledge of. Virtua Medical Group had no Business Associate Agreement With Tojo Vikas International. This is a HIPAA Violation by Virtua Medical Group, and it’s not the only one.
According to this article by Marianne Kolbasuk McGee of Healthcareinfosecurity;
Virtua Medical Group also had over $400,000 in fines imposed by The State of New Jersey.
So, all of this occurred almost two years ago (January 2016), why are we talking about it today? Because in a November 2, 2018 statement New Jersey Attorney General, Gurbir Grewal, reached a settlement agreement which says that Mr. Tushar Mathur, the owner of Best Medical Transcription, also known as ATA Consulting LLC, based in Georgia is banned from owning a business in New Jersey. According to an article by Databreachtoday.com, Mathur “shall not manage or own any business in New Jersey, or serve as an officer, director, trustee, member of an executive board or similiar governing body, principal, manager or stockholder owning 10 percent or more of the aggregate outstanding capital stock of all classes of any corporation in New Jersey.”
What about Tojo Vikas International based in New Delhi, India? Well, they don’t have a US presence whatsoever and their website is vague, in addition to medical transcription it appears they also do flood management and hydraulics. It’s an odd business structure. Whoever they are, they had/have access to the data of over 1600 New Jersey healthcare consumers. I would say this lack of transparency is frustrating ,and it is but it’s actually very consistent with the vagueness and confusion that is part of doing business with off-shore corporations.
This is the first time a ban has been imposed at the state level as part of a breach settlement, Mr. Mathur is banned from owning a business in New Jersey. In a country and culture such as The US, one that prizes itself on opportunity and economic growth, this is huge, and now it’s case law and sets a legal precedent moving forward.
Not too shabby, New Jersey, not too shabby at all.