Turn on more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Sign In
Skip to main content Open accessibility information page
Alert
On January 16, 2024, Governor Phil Murphy signed the New Jersey Data Privacy Law, P.L. 2023, c. 266. The law went into effect on January 15, 2025. Please click on this Frequently Asked Questions link to learn more about the new law and your rights under it.
Alert
On January 8, 2024, Governor Murphy signed into law P.L. 2023, c. 237, which, among other things: amended the Contractors’ Business Registration Act (“CBRA,” formerly the “Contractors’ Registration Act”), N.J.S.A. 56:8-136 et seq., and created the “Home Improvement and Home Elevation Contractor Licensing Act,” N.J.S.A. 45:5AAA-1 et seq. For more information on the registration requirements for contractors and businesses under these laws, click here.
Alert
On July 10, 2024, Governor Murphy signed into law the Real Estate Consumer Protection Enhancement Act, P.L. 2024, c.32, which, among other things, requires sellers of residential property located in New Jersey to use the "Seller's Property Condition Disclosure Statement" ("Disclosure Statement," questions 1 through 108).

Additionally, on July 3, 2023, Governor Murphy signed into law P.L. 2023, c.93, which, among other things, requires sellers of all real property located in New Jersey to make certain additional disclosures concerning flood risks on the "Disclosure Statement." On July 15, 2024, the Division published a "Flood Risk Addendum" to the Disclosure Statement (questions 109 through 117), which includes the additional disclosures concerning flood risks.

As a result of these two laws, effective August 1, 2024:
  • Sellers of residential property must complete the Disclosure Statement (questions 1 through 108). A copy of the Disclosure Statement is available here; and
  • All sellers of real property, both residential and non-residential, must complete the Flood Risk Addendum to the Disclosure Statement (questions 109 through 117). A copy of the Flood Risk Addendum is available here.

The Division has created an instruction sheet with additional information regarding the use of these forms. The forms linked above supersede any forms previously posted by the Division, including, but not limited to, the "Amended Disclosure Statement" posted on December 21, 2023.

Press Release

​​​​​​​​​​​​​​For Immediate Release:
April 4, 2018

Office of The Attorney General
Gurbir S. Grewal, Attorney General

Division of Consumer Affairs
Sharon Joyce, Acting Director

Division of Law
Michelle Miller, Director
 For Further Information Contact:
Lisa Coryell (973)-504-6327​​ or (609)-292-4971

Virtua Medical Group Agrees to Pay Nearly $418,000, Tighten Data Security to Settle Allegations of Privacy Lapses Concerning Medical Treatment Files of Patients

​ ​​​​
View Consent Judg​ment​

NEWARK - Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs today announced that Virtua Medical Group, P.A. (“VMG”), a network of physicians exclusively affiliated with more than 50 South Jersey medical and surgical practices, has agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor.

VMG, a non-profit New Jersey captive Professional Association of Virtua Health Inc. headquartered in Marlton, agreed to the settlement terms after the Division’s investigation concluded that VMG’s failure to comply with federal healthcare data security standards publically exposed the medical information – including patient names, medical diagnoses and prescriptions – of up to 1,654 individuals treated at Virtua Surgical Group in Hainesport, and Virtua Gynecological Oncology Specialists and Virtua Pain and Spine Specialists in Voorhees.

The server misconfiguration occurred in January 2016.  All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in early March 2016.

The Division alleged that VMG’s failure to conduct a thorough analysis of the risk to the confidentiality of the electronic protected health information (“ePHI”) it sent to a third-party vendor, and its failure to implement security measures to reduce that risk, violated the federal Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir S. Grewal.  “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it.  When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”

The VMG privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.

After the FTP Site became unsecured, anyone who searched Google using search terms that happened to be contained within the dictation information, such as patient names, doctor names or medical terms, was able to access and download the documents located on the FTP Site, the Division investigation found. 

“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough.  You must fully vet your vendors for their security as well.”
The Division’s investigation found that even after Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP Site, and restored the password protection on January 15, Google retained cached indexes of the files which remained publically accessible on the internet.

On January 22, VMG received a phone call from a patient indicating that her daughter had found portions of her medical records from Virtua Gynecological Oncology Specialists on Google.  The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.

Upon completing an internal investigation into the matter on February 4, VMG contacted the New Jersey State Police and the FBI to report the security incident.  That same day VMG placed a request to remove the entire FTP Site from Google’s cache. Additionally, VMG went to each of the 462 VMG patient records it had found and identified on Google and, over a period of many hours, successfully removed them, one at a time, from Google.

​ The Division alleges that VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:

  • Failing to implement a security awareness and training program for all members of its workforce, including management.
  • Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
  • Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP Site.
  • Improperly disclosing the protected health information (“PHI”) of its patients.
  • Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.

The Division further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and VMG’s violations of HIPAA’s Security Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the New Jersey Consumer Fraud Act.

​ In settling the Division’s investigation, VMG agreed to implement a Corrective Action Plan that that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission and receipt of ePHI in VMG buildings, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years.  VMG also agreed to pay a $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the Division’s attorneys’ fees and investigative costs.

Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.

​ Deputy Attorneys General Russell M. Smith, Jr. and Carla S. Pereira represented the State of New Jersey in this matter.

### ​

​​
Last Modified: 5/29/2018 7:04 AM

Division

Department

State

Legal

RSS

Sign up for New Jersey Division of Consumer Affairs RSS feeds to get the latest information. You can select any category that you are interested in, and any time the website is updated you will receive a notification.

More information about RSS feeds.

Copyright © 2022 State of New Jersey.

OPRA Logo