Beth Israel Deaconess Medical Center to Pay $100,000 Over Data Breach Allegations
Hospital to Take Steps to Prevent Future Data Security Violations
BOSTON – A Boston hospital will pay a total of $100,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information, Attorney General Martha Coakley announced today.
The consent judgment, entered Thursday in Suffolk Superior Court, alleges that Beth Israel Deaconess Medical Center (BIDMC) failed to protect the personal and protected health information of nearly 4,000 patients and employees.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” AG Coakley said. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”
According to the complaint against BIDMC, in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.
The laptop contained the protected health information of 3,796 patients and employees as well as the personal information of 194 Massachusetts residents, of which 192 were BIDMC employees. Information put at risk by the data breach included names, social security numbers, and medical information.
Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.
Under the terms of its consent judgment, BIDMC has agreed to pay $100,000, including a $70,000 civil penalty, $15,000 for attorney’s fees and costs, and a payment of $15,000 to a fund administered by the AG’s Office for educational programs concerning the protection of personal information and protected health information.
BIDMC will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. BIDMC also performed or agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.
The lawsuit was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.
The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.
The BIDMC matter is being handled by Assistant Attorney General Shannon Choy-Seymour of the Health Care Division and Assistant Attorney General Sara Cable of the Consumer Protection Division.