Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.
In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.
In addition to claiming that South Shore Hospital violated the Health Information Technology for Economic and Clinical Health Act (“HITECH” Act), which gives state Attorneys General the authority to bring civil actions on behalf of state residents for violations of the Health Insurance Portability and Accountability Act (“HIPAA”), the action against South Shore Hospital claimed violation of Massachusetts’s stringent data security regulations, which went into effect on March 1, 2010. The allegations included failure to implement appropriate safeguards, policies and procedures to protect customers’ information; failure to have a Business Associate Agreement in place with the third-party service provider; and failure to train its workforce with respect to health data privacy.
The significant $775,000 fine includes a $250,000 civil penalty and a $225,000 payment for an education fund to be used by the AGO to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital $275,000 to reflect security measures it has taken subsequent to the breach.
This is the third enforcement action pursued by the AGO that addresses a breach of security occurring after the data security regulations went into effect. Thus far, all of the enforcement actions have resulted in settlements. But the payment agreed to by the AGO and South Shore Hospital far exceeds payments agreed to in other settlements.
The AGO appears to be holding up to its promise that it will vigorously enforce the data security regulations. Indeed, Attorney General Coakley stated that “Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form. It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected customers are aware of a data breach.”