For Immediate Release - December 19, 2014

Boston Children’s Hospital Settles Data Breach Allegations

Hospital to Take Steps to Prevent Future Data Security Violations

BOSTON – Boston Children’s Hospital (BCH) has agreed to pay $40,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information, Attorney General Martha Coakley announced today.

The consent judgment, entered today in Suffolk Superior Court, alleges that BCH failed to protect the personal information and protected health information of more than 2,000 patients.

“Healthcare providers must ensure that the privacy and security of sensitive patient information is protected,” AG Coakley said. “Today’s settlement will put in place and enforce important technological and physical security measures at Boston Children’s Hospital to help prevent a breach like this from happening again.”

According to the complaint against BCH, an unencrypted, BCH-issued laptop was stolen from a BCH physician while he was presenting at a May 2012 conference in Buenos Aires.  Before the laptop was stolen, the physician received an email from a colleague containing the protected health information of 2,159 patients including names, dates of birth, diagnoses, procedures, and dates of surgery. More than 1,700 patients were under the age of 18.

The physician took steps that he thought were adequate to remove the protected health information from the laptop. However, the information from the email remained on the laptop and despite BCH’s written policies, encryption software was not installed prior to the incident.

Under the terms of the consent judgment, BCH will pay $40,000, including a $30,000 civil penalty and a payment of $10,000 to a fund administered by the AG’s Office for educational programs concerning the protection of personal information and protected health information.

BCH will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. The hospital will also continue a review and audit of security measures and take corrective measures recommended in the review.

The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.

The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.

Most recently, on Nov. 20, 2014, Beth Israel Deaconess Medical Center agreed to pay $100,000 in a settlement with the AG’s Office after it allegedly failed to protect the personal and protected health information of nearly 4,000 patients and employees.

The BCH matter is being handled by Assistant Attorney General Shannon Choy-Seymour of AG Coakley’s Health Care Division.

##########