On November 21, Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.
In May 2012, a BIDMC physician's unencrypted personal laptop
computer was stolen from his unlocked office on the hospital's
campus. The physician regularly used the laptop for
hospital-related business, with BIDMC's knowledge and
authorization. His failure to adequately secure the information
allegedly violated the state's Consumer Protection Act and Data
Security Law, and the federal HIPAA law.
According to the AG, the physician and his staff violated hospital
policy requiring that BIDMC employees encrypt and physically secure
laptops that contain PI (as defined by state law) and PHI (as
defined in HIPAA). In addition to failing to enforce the policy,
the hospital did not notify affected individuals about the data
breach within the timeframe required by the state's breach
notification law. BIDMC's consent judgment with the AG requires
it to perform a review and audit of its security procedures,
encrypt and secure all portable devices, and train its workforce on
the proper handling of PI and PHI.
This action was the fourth data breach enforcement action since
2012 by the Massachusetts AG against a medical provider. Most
recently, last July, the Women and Infants Hospital of Rhode Island
paid $150,000 to settle data breach allegations arising out of the
disappearance of 19 unencrypted backup tapes that contained the PI
and PHI of more than 12,000 Massachusetts residents.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.