UMass Memorial entities ordered to pay $230K fine for data breaches
The Massachusetts Office of the Attorney General announced on Thursday, Sept. 20, that UMass Memorial Medical Group, Inc. and UMass Memorial Medical Center, Inc. have been ordered to pay $230,000 following two separate data breaches that exposed the personal health information of more than 15,000 people.
According the Massachusetts AG’s office, two former employees improperly accessed the personal and protected health information of patients for fraudulent purposes during two separate breaches. The office also accused the entities of violating the Consumer Protection Act, the Massachusetts Data Security Law and HIPAA for failing to “properly protect patients’ information.”
“Investigations by the AG’s Office revealed that the breaches exposed patient information including names, addresses, social security numbers, clinical information and health insurance information,” a statement said.
“The AG’s lawsuit alleges that UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. knew of these employees’ misconduct but failed to properly investigate complaints related to these breaches, discipline the employees involved in a timely manner, or take other steps to safeguard the information.”
Along with the fine, the UMass entities will be required to conduct employee background checks, train employees on how to properly handle patient information, identify and solve potential data security issues and quickly investigate suspected improper access to patient information.
They will also be required to hire an independent third-party firm to review of its data security.