DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Beth Israel Deaconess Medical Center to Pay $100,000 to Settle State Charges Over Data Breach

Posted on November 21, 2014 by Dissent

As noted on this site in July 2012, Boston.com reported that a laptop with patient information had been stolen from a physician’s office at Beth Israel Deaconess Medical Center in May. By August 2013, the breach had cost the medical center over $500,000, but there was at least one silver lining. Now, however, the breach has cost them another $100,000 to settle charges by the Massachusetts Attorney General’s Office, and HHS’s investigation of the breach is still open.  The following is a press release from the Massachusetts Attorney General’s Office:

BOSTON – A Boston hospital will pay a total of $100,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information, Attorney General Martha Coakley announced today.

The consent judgment, entered Thursday in Suffolk Superior Court, alleges that Beth Israel Deaconess Medical Center (BIDMC) failed to protect the personal and protected health information of nearly 4,000 patients and employees.

“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” AG Coakley said. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”

According to the complaint against BIDMC, in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

The laptop contained the protected health information of 3,796 patients and employees as well as the personal information of 194 Massachusetts residents, of which 192 were BIDMC employees. Information put at risk by the data breach included names, social security numbers, and medical information.

Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.

Under the terms of its consent judgment, BIDMC has agreed to pay $100,000, including a $70,000 civil penalty, $15,000 for attorney’s fees and costs, and a payment of $15,000 to a fund administered by the AG’s Office for educational programs concerning the protection of personal information and protected health information.

BIDMC will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. BIDMC also performed or agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.

The lawsuit was filed under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act.

The AG’s Office is focused on ensuring that health care entities abide by the state and federal data privacy requirements to protect personal information and protected health information. Recent efforts include a 2012 settlement with South Shore Hospital for $750,000, a 2013 settlement with medical billing company Goldthwait Associates and its client pathology groups, and a $150,000 settlement with Women and Infants Hospital of Rhode Island in July 2014.

The BIDMC matter is being handled by Assistant Attorney General Shannon Choy-Seymour of the Health Care Division and Assistant Attorney General Sara Cable of the Consumer Protection Division.

SOURCE: Attorney General Martha Coakley

Related posts:

  • Unencrypted laptops still a major cause of breach reports to HHS
Category: Uncategorized

Post navigation

← SLC Security to WakeMed: Wake Up!!!!
UK: Police investigate personal data theft from Aberdeen City Council →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.