Massachusetts Enforces Across Border As R.I. Hospital Settles Breach Notice Case

By Martha Kessler  

July 25 — A Rhode Island hospital has agreed to pay Massachusetts $150,000 to settle claims that it failed to protect the personal information of more than 12,000 Massachusetts patients during a 2011 data breach, the Massachusetts Attorney General's Office announced July 23 .  

Under the terms of a consent agreement filed in Massachusetts Superior Court, Women & Infants Hospital of Rhode Island also agreed to take steps to ensure compliance with state and federal data security laws and hire an outside firm to perform an audit.

The decision by Massachusetts Attorney General Martha Coakley (D) to pursue the Rhode Island-based health care system—which has the majority of its operations outside of Massachusetts—is significant, Peter McLaughlin, of counsel with DLA Piper in Boston, told Bloomberg BNA July 24.

The message from the attorney general is to “watch out, just because the Massachusetts data security regulation says if you are holding the information of Massachusetts residents, regardless of where you are, we are going to claim the ability to enforce against you,” he said. “It does represent a little bit of that regulatory reach across the border.”

Alleged Delayed Breach Notification

The accord stems from a data breach reported to the Massachusetts Attorney General's Office in 2012 in which 19 unencrypted backup tapes from two prenatal diagnostic centers containing the personal information and protected health information of 12,127 Massachusetts residents were found to be missing, according to a July 23 statement by the office.

“Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities,” Coakley said in the statement. “This data breach put thousands of Massachusetts consumers at risk, and it is the hospital's responsibility to ensure that this type of event does not happen again.”

According to the Attorney General's Office, in April 2012 the hospital realized it was missing the 19 backup tapes from the two prenatal centers, one in Providence, R.I. and one in New Bedford, Mass.

Those backup tapes were supposed to have been shipped in 2011 to a central data center at the hospital's parent company, Care New England Health System, and then reshipped to an off-site location for information to be transferred to a new system, according to the statement by Coakley's office.

However, the hospital allegedly didn't discover the tapes were missing until the spring of 2012, and the breach wasn't reported to consumers and the Massachusetts Attorney General's Office until the fall of 2012, Coakley's office said.

The information contained on the tapes included patients' names and dates of birth, Social Security numbers, dates of exams, physicians' names and ultrasound images.

 

Coakley alleged that Womens & Infants Hospital violated the Health Information Portability and Accountability Act Privacy Rule, 45 C.F.R. § 164, and state rules and regulations designed to protect personal information and protected health information such those at Mass. Gen. Laws. ch. 93A.

The Massachusetts action “reflects a continuation of state attorneys general enforcing on HIPAA, which is still quite new,” McLaughlin told Bloomberg BNA. “But given the resources of 50 AGs around the country and the amount of data going hither and yon on a regular basis, I suspect we will see a more of these state-level enforcement actions in the health sector.”

In January 2010, then Connecticut Attorney General Richard Blumenthal (D) filed the first state enforcement action involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH Act), signed Feb. 17, 2009 by President Barack Obama, authorized state attorneys general to enforce HIPAA. In November 2010, Blumenthal was elected to represent Connecticut in the U.S. Senate.

1,200 Rhode Island Residents Affected

A spokeswoman for the hospital told Bloomberg BNA July 23 that, in addition to the Massachusetts residents, approximately 1,200 Rhode Island residents were affected. She said all the affected individuals were offered one year of free credit monitoring.

A spokeswoman for the office of Rhode Island Attorney General Peter F. Kilmartin (D) told Bloomberg BNA July 24 that the office is satisfied by the actions taken by the hospital to notify Rhode Island residents potentially impacted by the data breach and to offer them one free year of credit monitoring. She said the office reached out to Women & Infants Hospital at the time the breach was disclosed and believes the hospital met its obligations under Rhode Island's identity theft protection law.

The hospital confirmed in a statement provided to Bloomberg BNA July 23 that it had agreed to pay $150,000 to resolve allegations that it failed to protect the personal information and protected health information of some 12,000 patients in Massachusetts.

“Women & Infants Hospital takes the privacy and confidentiality of its patients very seriously and regrets any concern or inconvenience that this may have caused,” the hospital said. It stressed that it has undertaken “a number of corrective actions to prevent an incident like this from happening in the future, including a thorough review of policies and procedures, additional staff training, and enhancement of backup tape receipt and storage practices.”

In the consent judgment, the hospital didn't admit any wrongdoing.

To contact the reporter on this story: Martha Kessler in Boston at mkessler@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

Full text of the final judgment by consent is available at http://op.bna.com/pl.nsf/r?Open=kjon-9markg.