$150,000 Settlement in Hospital Breach
State HIPAA Case Stems from Lost Back-up Tapes
The Massachusetts attorney general has reached a $150,000 HIPAA settlement with a Rhode Island hospital in the wake of a data breach in 2012 that affected 14,000 patients, 12,000 of whom were from Massachusetts.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The breach at Women and Infants Hospital, which involved lost back-up tapes, potentially exposed patient names, dates of birth, Social Security numbers, dates of exams, physicians' names and ultrasound images.
"Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities," says Martha Coakley, the state's attorney general. "This data breach put thousands of Massachusetts consumers at risk, and it is the hospital's responsibility to ensure that this type of event does not happen again."
As part of the agreement, the hospital has agreed to take several steps, including maintaining an up-to-date inventory of the locations, custodians and descriptions of unencrypted electronic media and paper patient charts containing personal information and protected health information, authorities say. The hospital has also agreed to perform a review and audit of security measures and to take any corrective measures recommended in the review.
The financial settlement breaks down to a $110,000 civil penalty, $25,000 for attorneys' fees and costs, and a payment of $15,000 to a fund to be used by the attorney general's office to promote education concerning the protection of personal information and protected health information and a fund for future data security litigation.
The attorney general's office says it's focused on ensuring that healthcare organizations and their business associates abide by the state's data security laws and federal data privacy requirements under HIPAA and the HITECH Act.
The breach is included on the U.S. Department of Health and Human Services' Office for Civil Rights' list of breaches affecting 500 or more individuals.
A spokesperson for the Rhode Island attorney general said the office did not file suit against the hospital because it notified impacted individuals and offered one year of free credit monitoring services, "which goes above and beyond what the statute requires corporations to do," she said. "The office was satisfied with the proactive steps Women and Infants [took] in offering patients that free credit monitoring."
Breach Details
In April 2012, the hospital discovered it was missing 19 unencrypted back-up tapes from two of its prenatal diagnostic centers, one located in Providence, R.I., and the other located in New Bedford, Mass., authorities say.
Those tapes were supposed to have been sent in the summer of 2011 to a central data center at Women and Infants Hospital's parent company, Care New England Health System, and then shipped off site in order to transfer legacy radiology information to a new picture archiving and communications system, according to authorities.
Due to an inadequate inventory and tracking system, the hospital allegedly did not discover the tapes were missing until the spring of 2012, Massachusetts authorities say. They say deficient employee training and internal policies resulted in the breach not being properly reported to the Massachusetts attorney general and to consumers until the fall of 2012.
