New Jersey AG Announces $200,000 Settlement with Business Associate and Permanent Ban for BA’s Owner due to 2016 Data Breach Affecting Over 1,650 Patients

Robinson+Cole Data Privacy + Security Insider

On November 2, 2018, the New Jersey Attorney General announced a settlement worth up to $200,000 with a former medical transcription company responsible for a breach affecting medical records of up to 1,654 patients of a New Jersey physician network for which the company acted as a business associate.

  • Please see our analysis of an earlier settlement related to this breach entered into between the NJAG and the physician network here.

The terms of the settlement are set forth in a consent judgment entered into with the company – ATA Consulting, LLC d/b/a Best Medical Transcription – and its owner that resolves a suit brought by the NJAG under HIPAA and the New Jersey Consumer Fraud Act. Best Medical Transcription was a business associate under HIPAA that transcribed dictated physician letters, notes and other reports for the physician network. Under the judgment, Best Medical Transportation and its owner acknowledge that it failed to comply with HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, in connection with the exposure of the transcriptions of certain physician notes in or around January, 2016 when password protection of the company’s website was removed during a software upgrade.

The judgment obligates the defendants to make an initial payment of $30,508.00, with the remaining $169,492.00 suspended and to be vacated in two years as long as the defendants materially comply with the terms and conditions of the consent judgment. Notably, the NJAG previously required the physician network that had contracted with this company to pay $418,000 for other HIPAA violations related to this breach, even though it determined at that time that the transcription company was responsible for the breach.

Interestingly, the judgment requires the defendants to acknowledge that they have dissolved Best Medical Transcription, and prohibits the owner of that company from managing or owning any business in New Jersey, or serving as an officer, director, or in a similar governance or shareholder role of “any corporation in New Jersey.”

This apparent permanent prohibition on the owner managing a business in New Jersey due in part to violations of HIPAA is a remarkable remedy, and is one that other business associates would be well advised to keep in mind when considering their data security practices.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.