Hospital hit with $150K breach fine
'Protected health information must be properly safeguarded.'
A Rhode Island hospital, who nearly two years ago notified 14,000 patients of a HIPAA breach involving their data, agreed Wednesday to hand over $150,000 to settle allegations that it failed to safeguard patient information.
The Women & Infants Hospital of Rhode Island, or WIH, will pay the civil penalty to the Massachusetts Attorney General who slapped the hospital with a lawsuit after discovering 12,127 of those patients were Massachusetts residents.
The HIPAA breach, which was reported in September 2012 despite occurring in the spring, involved 19 unencrypted back-up tapes that went missing. Contained on the tapes were patient names, dates of birth, Social Security numbers, ultrasound images, dates of exams and physicians' names.
[See also: Groups hit with record $4.8M HIPAA fine.]
"Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities," Massachusetts AG Martha Coakley said, in a prepared statement. "This data breach put thousands of Massachusetts consumers at risk, and it is the hospital's responsibility to ensure that this type of event does not happen again."
Following an investigation, officials discovered the backup tapes were originally supposed to be mailed to a central data center and subsequently shipped off-site to transfer legacy radiology data to a new PACS.
However, due to an "inadequate inventory and tracking system," reportedly, hospital officials did not learn of the missing tapes until spring 2012. Inadequate employee training and lacking internal policies also contributed to the breach not being properly reported, according to AG officials.
Settlement terms require WIH to maintain an up-to-date inventory of locations, custodians and descriptions of unencrypted devices containing PHI. It also will need to perform regular security audits and take subsequent actions according to findings.
Of the $150,000 settlement, WIH will pay a $110,000 civil penalty, $25,000 for attorney fees and $15,000 to a fund to be used by the Massachusetts Attorney General's Office to promote education concerning the protection of personal information and PHI and a fund for future data security litigation.
The Massachusetts Attorney General's office has a history of enforcement regarding healthcare data breaches.
In 2012, it hit South Shore Hospital with a $750,000 settlement after the hospital failed to safeguard the data of 800,000 patients after 472 boxes of unencrypted backup tapes went missing.
In January 2013, former owners of a medical billing practice and four pathology groups handed over $140,000 to settle breach allegations after groups dumped the medical records of 67,000 patients at a public transfer station.