Beth Israel Deaconess Medical Center in Boston must pay the state of Massachusetts a $100,000 fine due the theft of an employee’s laptop in May 2012. The laptop — which was not issued by BIDMC — contained the unencrypted protected health information of 3,796 patients and employees. Beyond medical information, patient names and social security numbers were potentially exposed when the device was taken from a physician’s office.
In a release announcing that a consent judgment had been reached, Massachusetts Attorney General Martha Coakley said, “The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure.” The lawsuit filed against Beth Israel Deaconess Medical Center (BIDMC) was based on violations of federal HIPAA and two state privacy laws. BIDMC failed to notify patients of the security breach within 60 days of discovering it, which was required by those laws.
The release from the attorney general’s office said the owner of the stolen device failed to follow hospital security protocol. The hospital’s policy required employees to physically secure and encrypt all devices that contained sensitive patient information. The majority, $70,000, of the amount to be paid by BIDMC is a civil penalty and $15,000 will go to a fund for educational programs supporting the security of personal and protected health information. The hospital also agreed to review their security policies to find and correct any weaknesses.
Shortly after sharing news of the breach, BIDMC announced its intention for employees to play a larger part in data protection. John Halamka, M.D., CIO at BIDMC, stated his hope that this initiative would strengthen and build upon the hospital’s existing security policies. Halamka also made it clear that the risk of security breaches will always hover over hospital operations as long as employees are accessing patient data on different devices from scattered locations.