The Women & Infants Hospital of Rhode Island recently agreed to pay the Massachusetts Attorney General $150,000 in penalties, attorney’s fees, and contributions to funds for education and data security litigation. The hospital’s settlement demonstrates the risks that health care entities face from aggressive state attorneys general, even those across state lines, in addition to potential actions by the United States Department of Health and Human Services and the Federal Trade Commission. The consent judgment also highlights the dangers of the continued use of unencrypted technology by health care organizations.

The fines and fees were the result of a 2012 breach of patient health information that exposed the ultrasound images, social security numbers, names, dates of birth, and dates of exams of more than 14,000 individuals. Over 12,000 of the patients were in Massachusetts. The hospital did not discover the breach, which involved 19 missing unencrypted back-up tapes, for months. Even after discovery, the Attorney General’s Office stated that the hospital did not properly report the breach under Massachusetts law.

The Attorney General’s Office cited the hospital for an “inadequate inventory and tracking system” for its 19 unencrypted back-up tapes, as well as “deficient employee training and internal policies.” The hospital agreed to review and audit its security measures and take additional steps to come into compliance with state and federal data privacy and security laws and rules.