ARTICLE
1 December 2014

Massachusetts AG Remains Active In Data Security Enforcement

DP
Day Pitney LLP

Contributor

Day Pitney LLP logo
Day Pitney LLP is a full-service law firm with more than 300 attorneys in Boston, Connecticut, Florida, New Jersey, New York and Washington, DC. The firm offers clients strong corporate and litigation practices, with experience on behalf of large national and international corporations as well as emerging and middle-market companies. With one of the largest individual clients practices on the East Coast, the firm also has extensive experience assisting individuals and their families, fiduciaries and tax-exempt entities plan for the future.
On November 21, Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.
United States Food, Drugs, Healthcare, Life Sciences

On November 21, Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.

In May 2012, a BIDMC physician's unencrypted personal laptop computer was stolen from his unlocked office on the hospital's campus. The physician regularly used the laptop for hospital-related business, with BIDMC's knowledge and authorization. His failure to adequately secure the information allegedly violated the state's Consumer Protection Act and Data Security Law, and the federal HIPAA law.

According to the AG, the physician and his staff violated hospital policy requiring that BIDMC employees encrypt and physically secure laptops that contain PI (as defined by state law) and PHI (as defined in HIPAA). In addition to failing to enforce the policy, the hospital did not notify affected individuals about the data breach within the timeframe required by the state's breach notification law. BIDMC's consent judgment with the AG requires it to perform a review and audit of its security procedures, encrypt and secure all portable devices, and train its workforce on the proper handling of PI and PHI.

This action was the fourth data breach enforcement action since 2012 by the Massachusetts AG against a medical provider. Most recently, last July, the Women and Infants Hospital of Rhode Island paid $150,000 to settle data breach allegations arising out of the disappearance of 19 unencrypted backup tapes that contained the PI and PHI of more than 12,000 Massachusetts residents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More