Rhode Island Hospital Reaches Settlement with Massachusetts AG to Resolve Data Security Allegations

more+
less-

Last week, Women & Infants Hospital of Rhode Island (“W&I”) reached a settlement with the Massachusetts Attorney General to resolve allegations that W&I failed to adequately protect personal data stored on unencrypted backup tapes, violating both state and federal data security laws.  W&I has agreed to enhance its data security compliance program and to pay a total of $150,000.

In 2011, W&I sent 19 unencrypted backup tapes to its Prenatal Diagnostics Centers located in both Rhode Island and Massachusetts.  W&I did not realize that these tapes were missing until fall 2012, at which time W&I reported the issue to the Massachusetts Attorney General.  The backup tapes included Social Security numbers, physicians’ names, ultrasound images, and other information of 12,127 Massachusetts residents.

To improve its compliance program, W&I has agreed to maintain an up-to-date inventory of all locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information.  W&I has also agreed to audit its security measures and take appropriate corrective action, and the process is already underway.  Soon after news of the settlement broke, W&I released a statement that it had already begun “a number of corrective actions” including reviewing policies and procedures, conducting additional training, and improving backup tape receipt and storage practices.  Additionally, W&I will pay a fine of $150,000: $110,000 in a civil penalty; $25,000 towards attorneys’ fees and costs; and $15,000 towards two funds – one for future data security litigation, and the other to promote education on protecting personal information.

The settlement with W&I marks the latest installment of a state Attorney General enforcing data security laws.  Entities that interact with personal data, including but not limited to protected health information, should be aware of their responsibilities to and the enforcement powers of state officials in addition to federal authorities. 

Topics:  Data Breach, Data Protection, Healthcare, Hospitals

Published In: Consumer Protection Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »