Beth Israel Deaconess Medical Center has agreed to pay $100,000 and strengthen its data security policies to settle a state health information data breach complaint involving the medical and personal records of nearly 4,000 individuals exposed by the theft of an unencrypted laptop computer.
The settlement of the civil suit, which came in the form of a consent judgment approved last week in Suffolk County Superior Court, was negotiated between the Boston hospital and Massachusetts Attorney General Martha Coakley.
The hospital agreed to pay a $70,000 civil penalty, $15,000 for attorney's fees and cost, and contribute $15,000 to a fund run by the attorney general's office for education about data privacy and security.
Coakley sued the hospital under the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act. The American Recovery and Reinvestment Act of 2009 extended enforcement jurisdiction of HIPAA privacy and security rules to state attorneys general.
“The healthcare industry's increased reliance on technology makes it more important than ever that providers ensure patients' personal information and protected health information is secure,” Coakley said in a news release.
“To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”
The breach occurred in May 2012 after someone entered a Beth Israel Deaconess physician's unlocked office and took a laptop, which was not issued by the hospital but had been used regularly by the physician for hospital business “with BIDMC's knowledge and authorization,” the statement said.
The laptop contained protected healthcare information of 3,796 patients and employees, according to the attorney general's statement. It also contained personal information on 194 people, most of them hospital employees. The breached data included individuals' names, Social Security numbers and medical information.
The stolen laptop was password protected, but not encrypted, in contravention to hospital policy that requires encryption, said Dr. John Halamka, the hospital's chief information officer.
“The issue for him was he had downloaded some e-mails to it,” Halamka said. Those e-mails with other clinicians had patient-identifiable clinical information in them. “The issue for us is that although we don't procure and manage such things as private devices they buy at the Apple store, by HIPAA rule we are responsible for every bit of protected information that's transacted.”
Remediation included a “very significant education program” and a commitment that “everything you could encrypt, we would,” Halamka said, which include data users signing attestations they would even encrypt their own personal thumb drives.
As a result, “The budget for security went from $1 million a year to about $3 million a year,” but Halamka said, “The nature of the threat is much more significant today than it ever has been.”
Some good news on the horizon is that most mobile devices with iOS (Apple) and Android (Google) operating systems shipped today automatically report the encryption status of the device.
“You can apply policies that say no information will be shared until that device is password protected, encrypted and auto-wiped,” Halamka said. Auto-wiping technology enables a device owner to clear the memory of the device by remote command or after someone enters a certain number of incorrect passwords. “So, I actually feel OK about smartphones.
Laptop computers present more of a problem because only the newest products have the technology to easily secure the data they store. “If you're running something older, you have to buy third-party encryption software,” Halamka said, and that sometimes creates its own vulnerabilities.
There have been 1,169 significant data breaches of 500 or more individuals' records that have been reported to HHS under an ARRA requirement since September 2009, exposing more than 41 million records, according to the “wall of shame” website kept by HHS' Office for Civil Rights.
The largest settlement for a provider—$4.8 million—was reached earlier this year between HHS' Office for Civil Rights and New York-Presbyterian Hospital and Columbia University resolving a breach that involved 6,800 individuals' records.
Follow Joseph Conn on Twitter: @MHJConn