Last week, Women & Infants Hospital of Rhode Island (“W&I”) reached a settlement with the Massachusetts Attorney General to resolve allegations that W&I failed to adequately protect personal data stored on unencrypted backup tapes, violating both state and federal data security laws. W&I has agreed to enhance its data security compliance program and to pay a total of $150,000.
In 2011, W&I sent 19 unencrypted backup tapes to its Prenatal Diagnostics Centers located in both Rhode Island and Massachusetts. W&I did not realize that these tapes were missing until fall 2012, at which time W&I reported the issue to the Massachusetts Attorney General. The backup tapes included Social Security numbers, physicians’ names, ultrasound images, and other information of 12,127 Massachusetts residents.
To improve its compliance program, W&I has agreed to maintain an up-to-date inventory of all locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information. W&I has also agreed to audit its security measures and take appropriate corrective action, and the process is already underway. Soon after news of the settlement broke, W&I released a statement that it had already begun “a number of corrective actions” including reviewing policies and procedures, conducting additional training, and improving backup tape receipt and storage practices. Additionally, W&I will pay a fine of $150,000: $110,000 in a civil penalty; $25,000 towards attorneys’ fees and costs; and $15,000 towards two funds – one for future data security litigation, and the other to promote education on protecting personal information.
The settlement with W&I marks the latest installment of a state Attorney General enforcing data security laws. Entities that interact with personal data, including but not limited to protected health information, should be aware of their responsibilities to and the enforcement powers of state officials in addition to federal authorities.