Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” AG Coakley said. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”
According to the complaint, in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.
Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.
The lawsuit was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.
The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.