Massachusetts v. Women & Infants Hospital of Rhode Island, No. 13-2332G (Mass. Sup. Ct.).

A Rhode Island hospital agreed to judgment on July 22 to pay $150,000, undertake an audit, and institute new security procedures to settle a breach notification suit filed by the Massachusetts Attorney General. In April 2012, Women & Infants Hospital discovered that it was missing unencrypted back-up tapes containing the personal information of about 14,000 patients, more than 12,000 of which were Massachusetts residents. The personal information included names, birth dates, Social Security numbers, and certain medical data. The hospital did not report the breach to patients or authorities until November 2012. The Massachusetts Attorney General filed an enforcement action on July 2, alleging that the hospital’s failure to secure the data and delayed notification violated HIPAA as well as chapter 93a of Massachusetts General Laws. Although the breach also affected more than 1,200 Rhode Island residents, the Rhode Island Attorney General’s Office stated to a news outlet that it was satisfied with the hospital’s breach notification. Neither Massachusetts nor Rhode Islandlaw imposes a specific time period for notification. Rather, both require businesses to issue breach notices as soon as possible and “without unreasonable delay.”