State Settles HIPAA Case for $140,000Incident Involved Improper Paper Record Disposal
Massachusetts Attorney General Martha Coakley has fined a now-defunct medical billing company and four pathology groups a total of $140,000 in a settlement stemming from a breach involving improper disposal of paper medical records for 67,000 residents.
The settlement is with Goldthwait Associates and four of its clients - Milford Pathology Associates, Milton Pathology Associates Pioneer Valley Pathology Associates, and Kevin Dole, M.D., former president of Chestnut Pathology Services.
The medical records were discovered by a Boston Globe photographer in July 2010 when he was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records, according to a statement from Coakley.
The attorney general alleges that the pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to business associate Goldthwait Associates. They also violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.
"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors," Coakley says. "We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again."
Kate Borten of the Massachusetts-based IT security consulting firm The Marblehead Group notes: "These cases are meant to send a message that businesses must take reasonable measures to protect personal data in their care. Throwing patients' paper records away at a trash site is inexcusable now and in 2010."
The complaint, filed in Suffolk Superior Court along with consent judgments, alleges that Joseph and Louise Gagnon, doing business as Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from the four pathology groups. The medical records contained names, Social Security numbers and medical diagnoses.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, did not respond to inquiries about whether it was conducting its own investigation of the incident. Under the HITECH Act, state attorneys general can file civil suits for HIPAA violations.
The defendants agreed to a settlement that calls for paying a total of $140,000 for civil penalties, attorneys' fees and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
In an interview with HealthcareInfoSecurity, Joseph Gagnon, former co-owner with his wife of the medical billing company, said the records discovered by the photographer were not in an area of the dump that was open to the public. The records, he said, were in a building, awaiting transfer by a truck for pulverization in Maine. That was typically how the billing company disposed of records for more than a decade, he said.
Gagnon and his wife closed the medical billing business in May 2010. The medical records discovered at the dump in July 2010 were among other paperwork disposed in the process of closing up the business, he said.
The four pathology practices were part of the settlement because they did not have business associate agreements with Goldthwaite Associates spelling out how the medical billing company kept patient information confidential, Gagnon said. "We had relationships with some of these clients for 25 years," he noted.
Last May, Coakley's office announced a $750,000 settlement with South Shore Hospital resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients. That case involved lost unencrypted back-up tapes (see: Mass. Hospital Pays Breach Settlement.)
Meanwhile, in the statement about the most recent case, Coakley's office said it is trying to ramp up awareness of data privacy among healthcare providers. The office is co-sponsoring with the Massachusetts Hospital Association a Jan. 9 educational session on data privacy.