Mass. Hospital Pays Breach SettlementState Attorney General Suit Alleged HIPAA Violations
A Massachusetts hospital that reported a 2010 breach involving lost backup tapes with information on 800,000 individuals has agreed to pay a $475,000 penalty to settle a state attorney general's lawsuit.
The settlement of the lawsuit against South Shore Hospital in South Weymouth called for a $750,000 penalty, but the consent judgment approved by the court credited the hospital for $275,000 it spent on security measures after the breach. The suit alleged violations of the federal HIPAA regulations as well as the Massachusetts Consumer Protection Act. Under the HITECH Act, state attorneys general can file civil suits for HIPAA violations.
In addition to a $250,000 civil penalty, the hospital will pay $225,000 to an education fund to be used by the attorney general's office to promote education concerning the protection of personal information and protected health information.
In a statement about the settlement, Richard Abut, South Shore Hospital's president, says: "We appreciate that the attorney general has recognized the steps we've taken to enhance our data security systems and hope to be able to serve as a source of information about best practices for other healthcare providers."
In February 2010, the hospital shipped three boxes containing 473 unencrypted back-up tapes - containing personal and health information on 800,000 individuals - to another site to be erased, Attorney General Martha Coakley reports. The hospital hired Archive Data Solutions to erase the tapes and resell them. But the attorney general says the hospital failed to inform Archive Data that the tapes contained sensitive information. Plus, the hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the information. Multiple companies handled the shipping of the boxes.
In June 2010, the hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes still haven't been recovered, but there have been no reports of unauthorized use of the information on the missing tapes, the attorney general reports.
The hospital notes in its statement: "All available evidence indicated that the back-up computer files were most likely disposed of in a secure commercial landfill and were therefore unrecoverable."
South Shore Hospital did not have a business associate agreement with Archive Data, Coakley reports. Plus, the lawsuit alleged the hospital failed to implement appropriate safeguards, policies and procedures to protect consumers' information and it failed to properly train its workforce about privacy issues.
As part of the court-approved consent judgment, the hospital agreed to take several steps, including undergoing a review and audit of security measures and reporting any corrective actions to the state.
Business Associates and Breaches
About 22 percent of the more than 430 major breaches reported to federal authorities since the September 2009 enactment of the HIPAA breach notification rule have involved business associates (see: 20 Million Affected by Health Breaches).
Attorney Adam Greene of Davis Wright Tremaine LLP says organizations need to go beyond spelling out expectations in business associate agreements to carefully review and continually monitor business associates' security practices (see: Breach Prevention: Setting Priorities.
Mac McMillan, CEO of the consulting firm CynergisTek, says organizations need to start with both a legal and security review during the vendor selection process. "If you're going to share PHI [protected health information] with a vendor, doesn't it make sense that they should be able to demonstrate they have a security program before you even select them for consideration?" McMillan asks.