For Immediate Release - July 23, 2014

Women & Infants Hospital to Pay $150,000 to Settle Data Breach Allegations Involving Massachusetts Patients

Hospital Allegedly Failed to Protect Personal Information and Protected Health Information of More Than 12,000 Massachusetts Patients

BOSTON – Women & Infants Hospital of Rhode Island (WIH) has agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts, Attorney General Martha Coakley announced today. 

The consent judgment, approved yesterday by Suffolk Superior Court Judge Carol Ball, resulted from a data breach reported to the AG’s Office in November 2012 that included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images. 

“Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities,” AG Coakley said.  “This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again.”

In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers, one located in Providence, Rhode Island and the other located in New Bedford, Massachusetts.  The back-up tapes contained the personal information and protected health information of 12,127 Massachusetts residents.

In the summer of 2011, these back-up tapes were supposed to be sent to a central data center at WIH’s parent company, Care New England Health System and then shipped off-site in order to transfer legacy radiology information to a new picture archiving and communications system.  However, due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Due to deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012. 

Under the terms of the settlement, WIH has agreed to take steps to ensure future compliance with state and federal data security laws and regulations, including maintaining an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and protected health information. The hospital also agreed to perform a review and audit of security measures and to take any corrective measures recommended in the review.

According to the settlement, WIH will pay a $110,000 civil penalty, $25,000 for attorney’s fees and costs, and a payment of $15,000 to a fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information and a fund for future data security litigation. 

The AG’s Office is focused on ensuring that health care practices and their business associates abide by the state’s date security laws and federal data privacy requirements under HIPAA and the HITECH Act. Efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal information and protected health information of more than 800,000 patients. In 2013, the AG’s Office reached a $140,000 settlement with medical billing company Goldthwait Associates and its client pathology groups over allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump in Georgetown.

This matter is being handled by Assistant Attorney General Shannon Choy-Seymour of the Health Care Division.

##########

Follow us on Twitter – View our Photos – Visit our Website