Originally published in June 2012.
Last month, a Massachusetts hospital agreed to pay $750,000 for
failing to properly safeguard the personal and confidential health
information of more than 800,000 individuals. The settlement
reached between the Massachusetts Attorney General's Office
and South Shore Hospital involved an improper disclosure of
individuals' names, Social Security numbers, financial
account numbers and medical diagnoses by the hospital. It is a
cogent reminder that data security programs must be more than
another written policy sleeping in a filing cabinet.
This is the story. Two years ago, the hospital retained a
third-party service provider to erase unencrypted back-up tapes
that contained the personal information and protected health
information of over 800,000 individuals. The hospital did two
things wrong when it transferred the tapes to the vendor. First, it
did not notify the third-party service provider that the tapes
contained this protected and confidential information. Second, the
hospital did not verify that the third-party service provider had
adequate safeguards in place to protect the sensitive
information.
The hospital later learned that two of the three boxes containing
the back-up tapes - and personal information - were missing. The
hospital conducted an investigation and concluded that the back-up
tapes were likely disposed of in a secure commercial landfill and
were therefore unrecoverable. Even now, there have been no reports
of unauthorized use of this personal information or protected
health information.
Despite the fact that no patient or individual actually reported
suffering harm, the Massachusetts Attorneys General Office brought
an action against the hospital for violating the Health Information
Technology for Economic and Clinical Health Act ("HITECH"
Act) and the Massachusetts data security regulations (201 CMR
17.00). The HITECH Act allows state Attorneys General to
bring civil actions on behalf of state residents for violations of
the Health Insurance Portability and Accountability Act
("HIPAA"). The Massachusetts data security
regulations took effect in March, 2010, and among other things,
require every business that has personal information of
Massachusetts residents to maintain a comprehensive written
information security program to protect that personal
information.
The Massachusetts data security law applies to all businesses that
store or possess personal information on Massachusetts residents,
even if the company is physically located in New Hampshire.
On March 1st of this year, the last provision of the data security
regulations addressing third party service providers took
effect. Under this provision, businesses must require third-party
service providers by contract to implement and maintain appropriate
security measures for their permitted access of personal
information. There is no auditing requirement under the law, but it
is advisable to reserve the right to conduct one in the contract.
The specific language of the contract should at least include
assurances from the service provider that it has the capability to
protect the personal information in compliance with all applicable
state and federal law. The contract should also require the third
party service provider to give immediate notice of any data breach.
It should also mandate the destruction of any personal
information upon termination of the contract.
More individuals are bringing lawsuits when they have suffered harm
connected with a data security breach. Apart from the expense and
distraction of defending such a claim, businesses are at risk of
losing significant goodwill with customers or patients for failing
to protect their personal information. Stay on guard, develop the
contracts with your third party service providers, and go breathe
some life into that data security policy.
Neil B. Nicholson is a trial attorney at McLane Law Firm and practices in the firm's Privacy and Data Security Group.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.