Society & Culture & Entertainment Other - Entertainment

Boston Children’s Hospital to Pay $40,000 Over Data Breach



After more than 2,100 patients’ private records were exposed in March 2012, Boston Children’s Hospital (BCH) has agreed to pay $40,000 and give patients’ private information greater protection under the terms of a consent judgment.

The state of Massachusetts filed a complaint that accused the hospital of violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to take appropriate data security measures before an incident occurred in Argentina in which thousands of patient records were exposed, including those belonging to minors.


As alleged in the lawsuit, a doctor employed by the hospital attended a conference in Buenos Aires and requested additional information from another hospital employee in Boston while he was out of the country. The employee replied with an unencrypted email in which the protected health information, including names, birth dates, diagnoses, procedures, and dates of surgery were included. While the doctor tried to delete the email after realizing the sensitive nature of its contents, the email was still saved on the computer via his email client. Later that day, the laptop was stolen.

According to the Massachusetts attorney general’s office, BCH has a policy that mandates all laptops used to access its system must be encrypted. However, the hospital failed to adequately supervise and train its employees on how to maintain the security of that data.

Since the breach, the hospital has attempted to improve its methods for protecting patient data, including an overhaul of its policies on handling portable devices and implementing a program to encrypt unencrypted laptops with access to its network.

Additionally, the hospital has worked closely with state and federal governments to ensure all computers and mobile devices used for hospital-related work have been mandatorily encrypted.

Under the consent judgment, BCH is not admitting liability, but will pay the fine to the Massachusetts attorney general’s office. They have also brought in an independent third-party to review its compliance with the state and federal standards for protecting residents’ personal information, with corrective action undertaken to bring its practices up to code.

The judgment additionally requires the hospital to require all employees with portable devices used to access patient data to sign a compliance certification in acknowledgment of the hospital’s privacy policies and procedures.

However, BCH is not the only healthcare organization that has run afoul of HIPPA in Massachusetts.

In 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes holding 800,000 individuals’ personal information and protected health information to be erased. The hospital contracted with Archive Data Solutions to erase the tapes and resell them, but never informed Archive Data of the tapes’ sensitive contents and did not determine whether the company had sufficient safeguards in place to protect the data. Only one of the boxes ever arrived. The hospital later agreed to a $750,000 settlement.

Later that year, a medical billing practice and four pathology groups improperly disposed of sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients by throwing them out at a public dump. The records were discovered by a photographer disposing of his trash at a transfer station, where he noticed a large mound of paper that he realized were medical records upon closer inspection.

Even more recently, an unencrypted laptop belonging to a physician at Beth Israel Deaconess Medical Center was stolen off of his unattended desk. The laptop was used by the physician for hospital-related business on a regular basis and contained nearly 4,000 patient and employee records, as well as names and social security numbers.

As in all of the recent cases, the BCH consent judgment will be divided between civil penalties and to fund privacy-related endeavors. Of the total $40,000 judgment against Boston Children’s Hospital, $30,000 is considered a civil penalty, while the remaining $10,000 will fund further education and investigation of data protection.
SHARE
RELATED POSTS on "Society & Culture & Entertainment"
What I Talk About When I Talk About Running
What I Talk About When I Talk About Running
Active Child 'You Are All I See
Active Child 'You Are All I See
Old Shoppe Spirit
Old Shoppe Spirit
Tommy in the Glass
Tommy in the Glass
Top 10 New Pop Albums July 20, 2010
Top 10 New Pop Albums July 20, 2010
Same-sex Partners on 'dancing With the Stars'?
Same-sex Partners on 'dancing With the Stars'?
Top 10 New Pop Albums February 8, 2011
Top 10 New Pop Albums February 8, 2011
Glengarry Glen Ross - 2012 Broadway Revival
Glengarry Glen Ross - 2012 Broadway Revival
Definitive Albums: Sebadoh 'Bakesale' (1994)
Definitive Albums: Sebadoh 'Bakesale' (1994)
Assassination of Lebanese Security Chief Wissam al-Hassan in 2012
Assassination of Lebanese Security Chief Wissam al-Hassan in 2012
Kristen Renton (Morgan Hollingsworth)
Kristen Renton (Morgan Hollingsworth)
Temecula Wine Tours to Every Occasion & Budget
Temecula Wine Tours to Every Occasion & Budget
The Best Evidence for Reincarnation
The Best Evidence for Reincarnation
Glow In The Dark Tattoos Are Popular
Glow In The Dark Tattoos Are Popular
You Can't See Me
You Can't See Me
Midseason 2008: Debuts and Season Premieres
Midseason 2008: Debuts and Season Premieres
Sabbath Assembly - Sabbath Assembly Review
Sabbath Assembly - Sabbath Assembly Review
Mumbai Terror Attack
Mumbai Terror Attack
Attacked by Hooded Beings
Attacked by Hooded Beings
John-Paul Lavoisier (Rex) and Robert S. Woods (Bo)
John-Paul Lavoisier (Rex) and Robert S. Woods (Bo)
About Top 40 Hot 10
About Top 40 Hot 10
'Dr. Linus' Recap
'Dr. Linus' Recap

Leave Your Reply

*