For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they mishandled and improperly disposed of medical records containing personal information and protected health information.  The settlement amount includes civil penalties, attorneys’ fees and an allocated amount for a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.  A copy of the complaint and corresponding consent judgments are attached here.   

The medical records contained information relating to more than 67,000 residents, and included names, Social Security numbers, health insurance information and medical diagnoses that were not redacted or destroyed before they were discarded at a local transfer station.  The five entities include Goldthwait Associates, which provided medical billing services, in addition to four pathology groups that worked with Massachusetts hospitals and medical centers.

 The AGO alleged that Goldthwait Associates mishandled and disposed of medical records containing personal information and protected health information that it received from the pathology groups.  In addition, the AGO alleged that the four pathology groups failed to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and did not take reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.  The complaint alleged that Goldthwait Associates violated the Massachusetts Consumer Protection Act, M.G.L. c. 93A; the Massachusetts Data Disposal and Destruction Act, M.G.L. c. 93I; and the Massachusetts Security Breach Act and its corresponding regulations, M.G.L. c. 93H/201 CMR 17.00.  In addition, the complaint alleged that the four pathology groups violated the Massachusetts Security Breach Act and its corresponding regulations, M.G.L. c. 93H/201 CMR 17.00; and HIPAA Privacy and Security Rules, 45 C.F.R. §§ 160 to 164.

Unlike the other data security violations prosecuted by the AGO where the settling entity was required to disclose a data breach to the AGO, this matter first became public in 2010 when a Boston Globe photographer was discarding his own garbage at the transfer station and noticed a large stack of paper which, upon closer inspection, he discovered to be medical records.  It thereafter became apparent that the owners of Goldthwait Associates had recently retired and, in an effort to dispose of their records as cheaply and quickly as possible, had hired their son to discard the documents at a local transfer station.  The complaint stated that Goldthwait’s “failure to institute and implement reasonable data security measures to protect the confidentiality of protected health and personal information entrusted to Goldthwait, and instead allow an untrained third-party to dispose of the documents at a dump, resulted in a serious violation of patient privacy and violations of state consumer protection and data security laws.”

Since the regulations went into effect in March 2010, the AGO has sent a consistent message of enforcement.  In a statement announcing the January 7th settlement, Massachusetts Attorney General Martha Coakley stated: “Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third party contractors . . . . We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”