Former owners of a medical billing practice and four pathology groups in Massachusetts will collectively pay $140,000 to settle potential HIPAA allegations after medical records and billing information for some 67,000 patients were improperly disposed of at a public dump, Mass. Attorney General Martha Coakley announced Jan.7.
The complaint, filed in Suffolk Superior Court, alleges that business associates Joseph and Louise Gagnon of Goldthwait Associates violated state data security laws when they improperly disposed of medical records containing personal health information (PHI) from four state pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 patients and included names, Social Security numbers and medical diagnoses that were not redacted or destroyed when they were disposed of.
“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” Coakley said. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”
This matter came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His findings were first reported shortly thereafter.
The other defendants involved in the settlement include Kevin Dole, MD, former president of Boston-based Chestnut Pathology Services; Milford Pathology Associates, which had some 19,750 patient records involved in the breach; Milton Pathology Associates, which involved some 11,000 patient records; and Holyoke, Mass.-based Pioneer Valley Pathology Associates.
The Office of the Attorney General alleges that these groups violated HIPAA regulations by failing to implement the appropriate safeguards to protect patient PHI they provided to Goldthwait Associates. Moreover, officials say they violated state data security regulations by failing to take the appropriate steps to select and retain a service provider that would maintain appropriate security measures to protect patient information.
According to the complaint, the Gagnons ran Goldthwait Associates – which primarily provided medical billing services for pathology groups – and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.
Each of the four pathology groups together with the Gagnons agreed to entry of consent judgments to resolve the allegations. Under the settlement, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
Recent privacy and security efforts from the Attorney General's office include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the PHI of more than 800,000 patients.