On November 21, 2014, Massachusetts Attorney General Martha Coakley announced that Boston hospital Beth Israel Deaconess Medical Center (“BIDMC”) has agreed to pay a total of $100,000 to settle charges related to a data breach that affected the personal and protected health information of nearly 4,000 patients and employees.
In its complaint, the Attorney General alleged that a trespasser entered an unlocked office of a BIDMC physician and stole a personal laptop containing unencrypted names, Social Security numbers and medical information of 4,000 patients and employees. The Attorney General alleged that the breach was a result of BIDMC’s failure to lawfully protect the personal and protected health information of its patients and employees in violation of the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act.
Pursuant to the consent judgment, BIDMC will pay $100,000 to resolve the allegations. $15,000 of the $100,000 settlement will be applied to a fund administered by the Attorney General for data protection educational programs. The consent judgment also requires BIDMC to “take steps to ensure future compliance with state and federal data security laws and regulations,” including the implementation of enhanced device management, encryption and training policies.
In response to the settlement, Massachusetts Attorney General Martha Coakley said that “[t]he healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” and that “[t]o prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”