- Office of Attorney General Maura Healey
Media Contact for AG Healey Settles with Billing Company over Data Breach Impacting Children
Boston — Attorney General Maura Healey obtained a judgment against a Medicaid billing company that provided processing services for Massachusetts public school districts after a data breach put more than 2,600 Massachusetts children at risk of identity theft and fraud.
A consent judgment was entered in Suffolk Superior Court today against the New Hampshire-based Multi-State Billing Services (MSB), requiring the company to pay $100,000 and implement improved security practices after an investigation by the AG’s Office found it violated state consumer protection and data security laws.
AG’s Office began an investigation after MSB reported that a company laptop was stolen. According to the company, the laptop likely contained the unencrypted personal information of more than 2,600 Massachusetts schoolchildren, including their names, social security numbers, Medicaid identification numbers, and for some students, their birth dates.
“This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others,” said AG Healey.
MSB processes Medicaid billing information for school districts in New England, which at the time of the breach included the following school districts in Massachusetts: Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional. Those services include assisting in submitting Medicaid claims and processing student Medicaid eligibility determinations.
According to the complaint filed by the AG’s Office, MSB did not comply with Massachusetts law that required it to take reasonable steps to safeguard the personal information from unauthorized access or use. Specifically, the complaint alleges that the company failed to develop, implement, and maintain a written and comprehensive information security program, train members of its workforce on how to reasonably safeguard personal information, or maintain a computer security system that ensured that personal information stored on laptop computers or other portable devices was encrypted.
The judgment requires that the company continue to develop, implement, and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with the data security laws. MSB must also pay $100,000, train staff on how to protect personal information, and report to the AG’s Office its compliance with its information security program and the judgment.
If you believe that you have been the victim of identity theft, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400, or view the Federal Trade Commission's identity theft resource, available at www.consumer.gov/idtheft/. Guidance for businesses on data breaches can be found here.
The matter was handled by Assistant Attorney General Jared Rinehimer and Director of Data Privacy and Security Sara Cable, both of Attorney General Healey’s Consumer Protection Division.