On May 24, a Massachusetts hospital agreed to pay $750,000 to settle alleged HIPAA violations relating to a 2010 data breach. This was the largest settlement to date for actions initiated by attorneys general under HITECH. The complaint, brought by Massachusetts Attorney General Martha Coakley, resulted from the loss of back-up tapes with unencrypted personal data affecting some 800,000 individuals.
The AG brought an action against South Shore Hospital alleging that it violated the HIPAA Privacy and Security rules and the Massachusetts data security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) by failing to set up sufficient safeguards, policies, and procedures for information protection. We previously reported on key points for compliance with the Massachusetts Standards.
South Shore Hospital will pay a $250,000 civil penalty and a $225,000 contribution to the attorney general’s fund to promote data protection education and further investigations. Of the $750,000 total settlement, $275,000 will be credited to the hospital for security measures to improve PI and PHI protections. The hospital also must develop a written information security plan, engage a third party firm to audit the hospital’s compliance with federal and state privacy laws, and submit a written report to the Commonwealth concerning the results of the review. In addition, the hospital must annually review its security measures, train its workforce on proper data security, and provide written reminders to employees with contracting authority about proper procedures for obtaining business associate or Service Provider agreements with third parties. In addition, under Massachusetts security standards, the hospital is required to encrypt, erase, or destroy, “to the extent technically feasible,” all PHI the hospital has on portable devices.
The data breach involves three boxes packed with unencrypted back-up tapes that contained PHI—names, social security numbers, financial account numbers, and medical diagnoses—which the hospital shipped off-site to be erased in February 2010. The hospital did not have a business associate agreement with the third party vendor involved, Archive Data Solutions, and failed to ensure that the company had sufficient safeguards to protect the information or that it knew the tapes contained sensitive information. In June 2010, when the shipment arrived in Texas, two of the three boxes were missing.
State attorneys general are increasingly using their HIPAA enforcement authority, which was established in 2009 by the HITECH statute—we’ve now seen actions by AGs in Connecticut, Massachusetts, Minnesota and Vermont. As continued reports of data breaches prompt government investigations and legal action, we may see growing settlement payouts and more states favoring detailed privacy standards like those of Massachusetts. Entities should plan for increased compliance efforts related to privacy and security—including data encryption, employee training, and development of a well-documented information security program and breach response plan.