Late last month, the Massachusetts Attorney General, Martha Coakley, announced that her office had reached a settlement with South Shore Hospital regarding alleged violations of the Massachusetts Consumer Protection Act and the Health Insurance Portability and Accountability Act (“HIPAA”) stemming from a data breach reported to both her office and the Office of Civil Rights of the Department of Health and Human Services.
In February 2010, South Shore Hospital shipped boxes of unencrypted back-up computer tapes, which contained the protected health information of approximately 800,000 individuals, to an off-site storage facility. The hospital had contracted with Archive Data Solutions (“ADS”) to erase the information on the back-up tapes and to resell them on the hospital’s behalf. In June 2010, the hospital learned that the majority of the tapes, which were handled by multiple companies during the shipping process, never made it to the storage facility. These tapes have yet to be located, although the Attorney General has noted that, to date, there have been no reports of unauthorized use of the information.
The Attorney General alleged in its complaint that South Shore Hospital did not inform ADS that the tapes contained protected health information, and did not determine whether ADS had itself sufficient safeguards in effect to protect this information. The complaint also alleged that South Shore Hospital did not have a Business Associate Agreement in place with ADS and that the hospital had failed to train its workforce with respect to health data privacy. In addition to the right of state attorneys general to bring HIPAA enforcement actions, Massachusetts has a data protection statute (M.G.L. ch. 93H) which allows the Attorney General to bring an enforcement action under the Massachusetts Consumer Protection Act (M.G.L. ch. 93A).
Under a consent judgment, South Shore Hospital agreed to pay a $250,000 civil penalty and $225,000 towards an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the alleged breach.