Beth Israel Deaconess Medical Center (Beth Israel) reached a settlement with the Massachusetts Attorney General’s Office for a data breach in which a physically unsecured laptop was stolen containing personal and protected health information of nearly 4,000 patients and employees.  In May 2012, a physician’s laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and hospital employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents.

The Attorney General’s office argued the hospital’s lack of security and failure to encrypt data was against the law.  Although the hospital’s policy and applicable law required encryption and physically secured laptops containing personal information and protected health information, the physician and members of his staff were not following these policies.

In addition to violations of privacy and security, Beth Israel’s response to the incident was insufficient under the law.  It took the hospital three months to provide notification of the breach; however, Health Insurance Portability and Accountability Act (HIPAA) requires notification within 60 days.

Under the terms of the settlement agreement, Beth Israel has agreed to pay $100,000, including a $70,000 civil penalty, $15,000 for attorney’s fees and costs, and a payment of $15,000 to a fund administered by the Attorney General’s Office for educational programs concerning the protection of personal information and protected health information.  Beth Israel will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. Beth Israel also performed or agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.

The details of this case and other recent health information data enforcement actions can be found on the Cooley HIPAA Privacy and Security Enforcement tracker here.