• This page, UMass Memorial Health Care Entities to Pay $230,000 to Resolve AG’s Lawsuit Over Data Breaches , is   offered by
  • Office of the Attorney General
Press Release

Press Release  UMass Memorial Health Care Entities to Pay $230,000 to Resolve AG’s Lawsuit Over Data Breaches

Lawsuit Alleges Breaches Exposed 15,000 Massachusetts Residents’ Personal and Health Information to Unauthorized Parties
For immediate release:
9/20/2018
  • Office of Attorney General Maura Healey

Media Contact   for UMass Memorial Health Care Entities to Pay $230,000 to Resolve AG’s Lawsuit Over Data Breaches

Meggie Quackenbush

BostonUMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. will pay a total of $230,000 to resolve claims that two separate data breaches exposed the personal and health information of more than 15,000 Massachusetts residents, Attorney General Maura Healey announced today.

According to the AG’s complaint, filed last week along with a consent judgment in Suffolk Superior Court, two former employees of UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. in separate breaches improperly accessed patients’ personal and protected health information for fraudulent purposes, such as opening cell phone accounts and credit card accounts. The AG’s Office alleges the UMass entities violated the Consumer Protection Act, the Massachusetts Data Security Law, and the Health Insurance Portability and Accountability Act when they failed to properly protect patients’ information.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said AG Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

Investigations by the AG’s Office revealed that the breaches exposed patient information including names, addresses, social security numbers, clinical information and health insurance information. 

The AG’s lawsuit alleges that UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. knew of these employees’ misconduct but failed to properly investigate complaints related to these breaches, discipline the employees involved in a timely manner, or take other steps to safeguard the information.

As part of the settlement, the UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. have agreed to conduct employee background checks and ensure proper employee discipline; train employees on the proper handling of patient information; limit employee access to patient information; identify and remediate potential data security issues; and promptly investigate suspected improper access to patient information.

The UMass Memorial entities will also be required to hire an independent third-party firm to conduct a review of its data security policies and procedures, which the health care entities will report to the AG’s Office. 

This matter was handled by Assistant Attorney General Michael Wong and Legal Analyst Elizabeth Carnes Flynn, with assistance from Division Chief Eric Gold, all of AG Healey’s Health Care Division.

###

Media Contact   for UMass Memorial Health Care Entities to Pay $230,000 to Resolve AG’s Lawsuit Over Data Breaches

  • Office of the Attorney General 

    Attorney General Maura Healey is the chief lawyer and law enforcement officer of the Commonwealth of Massachusetts.
  • Help Us Improve Mass.gov  with your feedback

    Please do not include personal or contact information.
    Feedback