TRENTON, N.J. (Legal Newsline) — New Jersey Attorney General Attorney General Gurbir S. Grewal announced April 4 that Virtua Medical Group P.A. (VMG) will pay $417,816 after an alleged data breach in which 1,650 patients had their medical records exposed.
“Patients entrust doctors with their most intimate health care details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” Grewal said in a statement. “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
VMG agreed to strengthen its data security practices in the wake of the breach, which occurred when a server misconfiguration allowed medical records to be viewed on the Internet.
“Although it was a third party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” Sharon M. Joyce, acting director of the Division of Consumer Affairs, said in a statement. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”