Last month, Boston Children’s Hospital settled with the Massachusetts Attorney General for $40,000 following the theft of a hospital-issued physician laptop containing unencrypted patient information. The Attorney General brought a lawsuit against Boston Children’s Hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act. According to the complaint’s allegations, the physician was presenting at a May 2012 conference in Argentina when the laptop was stolen. The complaint also alleged that the laptop possessed personal health information of more than 2,000 patients, including those under 18, containing such information as dates of birth, diagnoses, and surgery dates. The personal health information was attached in an email to the physician from a colleague. In addition to the fine, Boston Children’s Hospital entered into a consent judgment in which it also agreed to conduct a review of its compliance with federal and state laws and regulations relating to portable devices, to implement a program to encrypt unencrypted laptops, and to revise its training program concerning protected health and patient information for its workforce. In a recent press release, Massachusetts AG Martha Coakley said “Healthcare providers must ensure that the privacy and security of sensitive patient information is protected.”
TIP: This case serves as a reminder that state attorneys general look closely at data breach incidents, particularly incidents involving sensitive consumer information. All companies – even if not regulated by HIPAA – should review their data security practices, including with respect to the use of portable devices, to ensure that workplace policies are adequately requiring the protection of data, encryption of sensitive information where possible, and the training of employees about the importance of protecting sensitive personal information.