On November 21, Massachusetts Attorney General (AG) Martha Coakley announced that Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a $100,000 fine to settle allegations that a hospital physician failed to protect the personal information (PI) and protected health information (PHI) of almost 4,000 patients and hospital employees.
In May 2012, a BIDMC physician’s unencrypted personal laptop computer was stolen from his unlocked office on the hospital’s campus. The physician regularly used the laptop for hospital-related business, with BIDMC’s knowledge and authorization. His failure to adequately secure the information allegedly violated the state’s Consumer Protection Act and Data Security Law, and the federal HIPAA law.
According to the AG, the physician and his staff violated hospital policy requiring that BIDMC employees encrypt and physically secure laptops that contain PI (as defined by state law) and PHI (as defined in HIPAA). In addition to failing to enforce the policy, the hospital did not notify affected individuals about the data breach within the timeframe required by the state’s breach notification law. BIDMC’s consent judgment with the AG requires it to perform a review and audit of its security procedures, encrypt and secure all portable devices, and train its workforce on the proper handling of PI and PHI.
This action was the fourth data breach enforcement action since 2012 by the Massachusetts AG against a medical provider. Most recently, last July, the Women and Infants Hospital of Rhode Island paid $150,000 to settle data breach allegations arising out of the disappearance of 19 unencrypted backup tapes that contained the PI and PHI of more than 12,000 Massachusetts residents.