Massachusetts attorney general wins $150,000 settlement from hospital that lost patient data
When computers or data-storage media with protected personal health information on them go missing, healthcare providers don’t just face the threat of federal fines and patient class action suits. Individual states also can sue if their residents were impacted.
The Massachusetts’ attorney general’s office has a history of winning successful settlements in such scenarios and this week announced that it had reached a settlement with Women & Infants Hospital of Rhode Island to settle data breach allegations stemming from the 2011 loss of 19 unencrypted back-up tapes from two of the hospital’s prenatal diagnostic centers.
What happened to the tapes is unclear. According to Massachusetts Attorney General Martha Coakley’s press release, the tapes were supposed to have been sent to a central data center at the hospital’s parent company, Care New England Health System, in the summer of 2011. From there, they were supposed to have been sent off-site for transferring of the radiology information on the tapes into a new picture archiving and communications system (PACS). However, the tapes went missing somewhere in the transfer and the hospital and Care New England didn’t realize they were lost until the following spring. It then allegedly took them until the fall of 2012 to notify the patients that they didn’t know what had become of the data.
Courts in two states have recently ruled that patient class action suits in such scenarios need to prove that the personal health data lost was indeed viewed and used by an unauthorized person. There is not evidence in this case that this happened.
However, states can seek settlements if there is evidence that the healthcare provider could and should have protected the data better, i.e., been more careful. In this case, fault was found with Women & Infants Hospital of Rhode Island’s inventory and tracking system, as well as with its employee training on the importance of reporting lost data as quickly as possible.
Coakley’s office had the right to seek a settlement because the data on the 19 tapes included data from 12,127 Massachusetts residents. It had previously reached a $750,000 settlement with South Shore Hospital in South Weymouth, Massachusetts, and a $140,000 settlement with medical billing company Goldthwait Associates and its client pathology groups over alleged violations of the state’s data security laws and federal data privacy requirements.