The Other Shoe Drops on Vendor Business Associate; Includes Ban on Owner Doing Business in New Jersey

By on November 20, 2018 in Data Security with 0 Comments

When a business entrusts its customers’ personal information to a third party, and that third party fails to properly protect the information, both entities may pay a price. Now, the New Jersey Attorney General has shown that the price can include a ban on a business owner ever again managing or owning a business in New Jersey.

As previously noted in this blog, ATA Consulting, LLC (“ATA”), a Georgia medical transcription service retained by Virtua Medical Group (“VMG”), had subcontracted VMG’s medical transcription work to a company in India. That company unintentionally misconfigured a web server while updating software on a password-protected File Transfer Protocol website, allowing the site to be accessed without a password.  As a result, some of VMG’s patient information became publicly available via a Google search of terms contained within the transcriptions.

VMG had a HIPAA Business Associate Agreement in place with ATA which, typically, would require ATA to comply with HIPAA’s Privacy and Security Rules and the federal Data Breach Notification Rule, and to bind its subcontractors to the same. The New Jersey Attorney General alleged that ATA failed to comply with many requirements of those laws and that each and every violation constituted separate and additional unconscionable commercial practices in violation of the New Jersey Consumer Fraud Act. Those violations involved the public exposure of information in 462 patient records, requiring notice to over 1,500 patients. While the settlement resolves the Attorney General’s allegations, it does not limit or otherwise affect private rights of action of anyone not a party to the settlement.  In addition to a $200,000 penalty (much of it suspended due to ATA’s financial condition), ATA’s owner is barred from managing or owning any business in New Jersey, an enforcement measure that shows the Attorney General’s aggressive stance against those who don’t take seriously their obligations regarding protected personal information.

Cybersecurity is not just about criminal hackers. When businesses assess their cybersecurity status and what measures they must take to protect customer and employee information, third-party risk from vendor relationships should not be overlooked. These measures will be discussed on November 29th at Alloy Silverstein’s 2018 Security Symposium: Threat and Crisis Management for the Modern Workforce, at the DoubleTree Suites in Mount Laurel, New Jersey.


Tags: ,

About the Author

About the Author:

Shareholder, Health Care Group/Privacy & Security Group. Ms. Sanders has focused her practice in the areas of healthcare regulatory, transactional and operational matters for more than 20 years. She has extensive experience advising physicians and other healthcare providers on the multitude of regulatory and compliance requirements affecting healthcare delivery, including practice management issues; licensure and professional board matters; state and federal self-referral, anti-kickback, and fraud and abuse; electronic health records; telemedicine; collaboration agreements; and government and private payor relations. Her representative clients include individual practitioners, group practices, surgical practices, ambulatory surgery centers, ambulatory care facilities, and providers in the area of urgent care, post-acute care, home care, long-term care, and wellness.


Post a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.