Blog: Beth Israel To Pay $100,000 for Massachusetts Health Information Breach

Cooley LLP
Contact

Beth Israel Deaconess Medical Center (Beth Israel) reached a settlement with the Massachusetts Attorney General’s Office for a data breach in which a physically unsecured laptop was stolen containing personal and protected health information of nearly 4,000 patients and employees.  In May 2012, a physician’s laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and hospital employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents.

The Attorney General’s office argued the hospital’s lack of security and failure to encrypt data was against the law.  Although the hospital’s policy and applicable law required encryption and physically secured laptops containing personal information and protected health information, the physician and members of his staff were not following these policies.

In addition to violations of privacy and security, Beth Israel’s response to the incident was insufficient under the law.  It took the hospital three months to provide notification of the breach; however, Health Insurance Portability and Accountability Act (HIPAA) requires notification within 60 days.

Under the terms of the settlement agreement, Beth Israel has agreed to pay $100,000, including a $70,000 civil penalty, $15,000 for attorney’s fees and costs, and a payment of $15,000 to a fund administered by the Attorney General’s Office for educational programs concerning the protection of personal information and protected health information.  Beth Israel will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. Beth Israel also performed or agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.

The details of this case and other recent health information data enforcement actions can be found on the Cooley HIPAA Privacy and Security Enforcement tracker here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.