RI hospital faces HIPAA fine for MA patient breach

Women and Infants Hospital of Rhode Island will pay $150,000 in a settlement with the Massachusetts attorney general’s office after a 2012 data breach at the hospital affected more than 12,000 Massachusetts patients.

The hospital realized in April 2012 that it was missing 19 unencrypted back-up tapes from two prenatal diagnostic centers, one in Providence, R.I., and the other in New Bedford, Mass. The tapes reportedly contained personal information, including names, dates of birth, Social Security numbers, exam dates, physicians’ names and ultrasound images, of 12,127 Massachusetts residents and 1,877 residents from other states.

“Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities,” Attorney General Martha Coakley said in a statement. “This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again.”

The hospital did not admit any wrongdoing within the wording of the settlement. In a statement, the hospital said it has undertaken corrective actions including a thorough review of policies and procedures, more staff training and enhancements to its back-up tape receipt and storage practices.

According to a release, the hospital parted with the back-up tapes in the summer of 2011 to send them to a central data center at Care New England Health System, the parent company for Women and Infants. The company was then going to ship the tapes off-site to transfer legacy radiology information to a new archiving and communication system.

Yet more than a dozen tapes were lost, and Women and Infants didn’t discover the tapes were missing until spring of 2012.

The breach subsequently was left unreported until the fall of 2012, due to deficient employee training and internal policies, the attorney general's release said.

The attorney general filed a complaint against the hospital in Suffolk Superior Court on July 2, 2014, claiming that the hospital violated HIPAA by failing to track the tapes and failing to inform patients of a breach in a timely manner.

Under the settlement, issued on July 22, the hospital has agreed that it will maintain an up-to-date inventory of the locations, custodians and descriptions of unencrypted electronic media and paper patient charts that contain personal information and protected health information.

The hospital also agreed to perform a review and audit of security measures.

Of the penalty, $25,000 will go toward attorney fees and $15,000 will be used in a fund set up by the attorney general to promote education around personal information protections and litigate future data security complaints.