On November 2, 2018, the New Jersey Attorney General announced a settlement worth up to $200,000 with a former medical transcription company responsible for a breach affecting medical records of up to 1,654 patients of a New Jersey physician network for which the company acted as a business associate.

  • Please see our analysis of an earlier settlement related to this breach entered into between the NJAG and the physician network here.

The terms of the settlement are set forth in a consent judgment entered into with the company – ATA Consulting, LLC d/b/a Best Medical Transcription – and its owner that resolves a suit brought by the NJAG under HIPAA and the New Jersey Consumer Fraud Act. Best Medical Transcription was a business associate under HIPAA that transcribed dictated physician letters, notes and other reports for the physician network. Under the judgment, Best Medical Transportation and its owner acknowledge that it failed to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, in connection with the exposure of the transcriptions of certain physician notes in or around January, 2016 when password protection of the company’s website was removed during a software upgrade.

The judgment obligates the defendants to make an initial payment of $30,508.00, with the remaining $169,492.00 suspended and to be vacated in two years as long as the defendants materially comply with the terms and conditions of the consent judgment. Notably, the NJAG previously required the physician network that had contracted with this company to pay $418,000 for other HIPAA violations related to this breach, even though it determined at that time that the transcription company was responsible for the breach.

Interestingly, the judgment requires the defendants to acknowledge that they have dissolved Best Medical Transcription, and prohibits the owner of that company from managing or owning any business in New Jersey, or serving as an officer, director, or in a similar governance or 10+% shareholder role of “any corporation in New Jersey.”

This apparent permanent prohibition on the owner operating a business in New Jersey due in part to violations of HIPAA is a remarkable remedy, and is one that other business associates would be well advised to keep in mind when considering their data security practices.