Mass. AG reaches $750K agreement with hospital
BOSTON (Legal Newsline) - Massachusetts Attorney General Martha Coakley announced a $750,000 settlement with South Shore Hospital to resolve allegations that it failed to protect confidential and personal health information for more than 800,000 consumers.
In February 2010, South Shore Hospital shipped unencrypted back-up computer tapes with the personal information of more than 800,000 individuals off-site to be erased. Only one of the three boxes arrived at their Texas destination. The missing boxes have yet to be recovered.
"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form," Coakley said. "It is their responsibility to understand and comply with the laws of our commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach."
The hospital shipped the three boxes of 473 unencrypted back-up computer tapes to Archive Data Solutions to erase the back-up tapes for resale. The hospital allegedly failed to inform Archive Data that protected health information and personal information, including names, Social Security numbers, financial account numbers and medical diagnoses, were on the tapes.
South Shore Hospital also allegedly failed to determine if Archive Data had sufficient safeguards available to protect the sensitive data. After multiple shipping companies handled shipping the boxes of tapes, only one of the three boxes arrived at Archive Data, Coakley says. To date, there have been no reports of unauthorized use of the protected health information or personal information of individuals who were affected.
South Shore Hospital allegedly failed to implement appropriate procedures, policies and safeguards to protect consumers' information, failed to have a business associate agreement in place with Archive Data and failed to properly train its employees in connection with health data privacy.
The consent judgment, approved in Suffolk Superior Court, requires South Shore Hospital to make a $225,000 payment for an education fund to be used by Coakley's office to promote personal information and health information protection and a $250,000 civil penalty. The agreement credits the hospital $275,000 to reflect security measures it has taken since the breach occurred. The lawsuit was filed under the federal Health Insurance Portability and Accountability Act and the Massachusetts Consumer Protection Act.
Under the terms of the agreement, South Shore Hospital also agreed to take multiple steps to ensure compliance with federal and state data security regulations and laws, including requirements regarding contracts with third-party service providers and business associates engaged for the purposes of data destruction. The hospital will also undergo an audit and review of particular security measures and will report results and corrective actions to Coakley's office.