Women & Infants Hospital of Rhode Island (WIH) has agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of more than 12,000 patients in Massachusetts (press release). The consent judgment resulted from a data breach reported to the MA Attorney General’s Office in November 2012. Breached information included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images.
In April 2012, WIH realized that it was missing 19 unencrypted back-up tapes from two of its Prenatal Diagnostic Centers. In the summer of 2011, these back-up tapes were to be sent to a central data center at WIH’s parent company. Due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Because of deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.
Key Takeaways: AGs are increasingly enforcing data protection laws and regulations, sensitive information leaving facilities must be protected (encrypted), employees should be trained to report data privacy and security incidents immediately.