Beth Israel Deaconess Fined for BreachStolen Physician's Laptop Contained Patient Data
As part of the settlement, the hospital has also agreed to take steps "to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information," says a statement from Martha Coakley the state's attorney general.
The medical center also must perform a review and audit of security measures, and then take corrective measures recommended in the review, according to the statement.
John Halamka, CIO of Beth Israel Deaconess, said in a statement to Information Security Media Group: "Every device managed by BIDMC is encrypted today. Every employee has already been trained and attested to the encryption of their personal device. The value of this incident is that it created awareness in the community and led to a significant acceleration in security implementation and training efforts."
Three Laws Cited
The consent judgment was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law and HIPAA.
"The healthcare industry's increased reliance on technology makes it more important than ever that providers ensure patients' personal information and protected health information is secure," Coakley says. "To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures."
The May 2012 incident involved the theft of a physician's personal laptop computer from an unlocked office on the hospital campus. The laptop was not hospital-issued, but was used by the physician with the medical center's knowledge and authorization on a regular basis for hospital-related business, according to the attorney general.
The consent judgment, entered Nov. 20 in Suffolk Superior Court, alleges that Beth Israel "failed to protect the personal and protected health information of nearly 4,000 patients and employees."
The laptop contained the PHI of 3,796 patients and employees as well as the personal information of 194 Massachusetts residents, of which 192 were BIDMC employees. Information put at risk by the data breach included names, Social Security numbers, and medical information, according to the attorney general.
Although the hospital's policy required employees to encrypt and physically secure laptops sensitive information, the physician and members of his staff were not following these policies, Coakley says in her statement.
Under the terms of its consent judgment, the medical center will pay a $70,000 civil penalty, $15,000 for attorney's fees and costs, and a payment of $15,000 to a fund administered by the attorney general's office for educational programs concerning the protection of personal information and protected health information.
Other breach-related penalties issued by the Massachusetts attorney general's office include a 2012 settlement with South Shore Hospital for $750,000; a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups for $140,000; and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.