On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.
Attorney General Coakley filed a suit against South Shore Hospital based on violations of the Massachusetts Consumer Protection Act and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Specifically, the suit alleged that South Shore Hospital did not (1) implement adequate safeguards to protect the information on the back-up tapes, (2) train its employees on privacy, or (3) enter into a business associate agreement with the service provider with whom it contracted to erase the data on the tapes.
Pursuant to the consent judgment, South Shore Hospital has agreed to improve its compliance with applicable state and federal privacy laws, such as by developing a written information security program and ensuring that its contracts with service providers comply with the requirements of the HIPAA regulations. The financial portion of the settlement includes a $250,000 civil penalty, a $225,000 contribution to a privacy education fund, and a $275,000 credit to South Shore for costs related to improving its security following the breach.
The South Shore Hospital settlement is the latest in a series of actions by state Attorneys General pertaining to alleged HIPAA violations, following lawsuits filed by the Attorneys General of Minnesota in January 2012, and Connecticut in January 2010. It is also the fourth security breach-related enforcement action by the Massachusetts Attorney General’s Office that we have reported on in the past year.