Boston Children’s Hospital to Pay $40K Over Data Breach Allegations

Boston Children’s Hospital (BCH) has agreed to pay $40,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information, Massachusetts Attorney General Martha Coakley announced Friday.

The consent judgment, entered Friday in Suffolk Superior Court, alleges that BCH failed to protect the personal information and protected health information of more than 2,000 patients.

“Healthcare providers must ensure that the privacy and security of sensitive patient information is protected,” said Coakley. “Today’s settlement will put in place and enforce important technological and physical security measures at Boston Children’s Hospital to help prevent a breach like this from happening again.”

According to the complaint against BCH, an unencrypted, BCH-issued laptop was stolen from a BCH physician while he was presenting at a May 2012 conference in Buenos Aires.

Before the laptop was stolen, the physician received an email from a colleague containing the protected health information of 2,159 patients including names, dates of birth, diagnoses, procedures, and dates of surgery. More than 1,700 patients were under the age of 18, according to the complaint.

The physician took steps that he thought were adequate to remove the protected health information from the laptop, according to the complaint. However, the information from the email remained on the laptop and despite BCH’s written policies, encryption software was not installed prior to the incident.

Under the terms of the consent judgment, BCH will pay $40,000, including a $30,000 civil penalty and a payment of $10,000 to a fund administered by the Attorney General’s Office for educational programs concerning the protection of personal information and protected health information.

The Attorney General’s Office said BCH will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. The hospital will also continue a review and audit of security measures and take corrective measures recommended in the review.

The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.

The Attorney General’s Office said it is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.

Most recently, on Nov. 20, 2014, Beth Israel Deaconess Medical Center agreed to pay $100,000 in a settlement with the Attorney General’s Office after it allegedly failed to protect the personal and protected health information of nearly 4,000 patients and employees.

Source: Massachusetts Attorney General’s office