Last month, a Massachusetts hospital agreed to pay $750,000 for failing to properly safeguard the personal and confidential health information of more than 800,000 individuals. The settlement reached between the Massachusetts Attorney General’s Office and South Shore Hospital involved an improper disclosure of individuals’ names, Social Security numbers, financial account numbers and medical diagnoses by the hospital. It is a cogent reminder that data security programs must be more than another written policy sleeping in a filing cabinet.
This is the story. Two years ago, the hospital retained a third-party service provider to erase unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. The hospital did two things wrong when it transferred the tapes to the vendor. First, it did not notify the third-party service provider that the tapes contained this protected and confidential information. Second, the hospital did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
The hospital later learned that two of the three boxes containing the back-up tapes – and personal information – were missing. The hospital conducted an investigation and concluded that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable. Even now, there have been no reports of unauthorized use of this personal information or protected health information.
Despite the fact that no patient or individual actually reported suffering harm, the Massachusetts Attorneys General Office brought an action against the hospital for violating the Health Information Technology for Economic and Clinical Health Act (“HITECH” Act) and the Massachusetts data security regulations (201 CMR 17.00). The HITECH Act allows state Attorneys General to bring civil actions on behalf of state residents for violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The Massachusetts data security regulations took effect in March, 2010, and among other things, require every business that has personal information of Massachusetts residents to maintain a comprehensive written information security program to protect that personal information.
The Massachusetts data security law applies to all businesses that store or possess personal information on Massachusetts residents, even if the company is physically located in New Hampshire.
On March 1st of this year, the last provision of the data security regulations addressing third party service providers took effect. Under this provision, businesses must require third-party service providers by contract to implement and maintain appropriate security measures for their permitted access of personal information. There is no auditing requirement under the law, but it is advisable to reserve the right to conduct one in the contract. The specific language of the contract should at least include assurances from the service provider that it has the capability to protect the personal information in compliance with all applicable state and federal law. The contract should also require the third party service provider to give immediate notice of any data breach. It should also mandate the destruction of any personal information upon termination of the contract.
More individuals are bringing lawsuits when they have suffered harm connected with a data security breach. Apart from the expense and distraction of defending such a claim, businesses are at risk of losing significant goodwill with customers or patients for failing to protect their personal information. Stay on guard, develop the contracts with your third party service providers, and go breathe some life into that data security policy.
Neil B. Nicholson is a trial attorney at McLane Law Firm and practices in the firm’s Privacy and Data Security Group. He can be reached at 603-628-1483 or neil.nicholson@mclane.com. The McLane Law Firm maintains offices in Manchester, Concord and Portsmouth, and Woburn, Massachusetts.