At the end of last month, Boston hospital Beth Israel Deaconess Medical Center (BIDMC) settled a data breach lawsuit brought by the Massachusetts Attorney General related to the 2012 theft of a physician’s laptop. Under a consent decree entered on Nov. 20, 2014, BIDMC agreed to pay $100,000 and to take a number of steps to ensure future compliance with state and federal data security laws.
The state of Massachusetts filed the enforcement suit against BIDMC on the same day as the consent decree’s entry, alleging that an unauthorized person gained access to a BIDMC physician’s unlocked office on campus in May 2012 and stole an unencrypted personal laptop sitting unattended on a desk. Though the laptop was not hospital-issued, the physician used it regularly for hospital-related business with BIDMC’s knowledge and authorization. The physician and his staff allegedly were not following hospital policy and applicable law requiring employees to encrypt and physically secure laptops containing protected health information and personal information. According to the state, the laptop contained nearly 4,000 patients’ and employees’ protected health information and nearly 200 employees’ personal information, including names, Social Security numbers and medical information. The complaint also alleged that BIDMC failed to notify patients about the data breach until nearly three months later, in August 2012.
Under the terms of the consent decree, BIDMC’s $100,000 settlement payment includes a $70,000 civil penalty, $15,000 in attorneys’ fees and costs and a $15,000 payment to a fund that the Massachusetts Attorney General will use for education, further investigation and litigation and other programs related to protection of consumers’ protected health information and personal information.
The consent decree also requires BIDMC to adhere to a written information security plan; encrypt or secure all laptops, personal wireless devices and portable media storage devices (such as thumb drives, CDs, and DVDs); develop and maintain a current list of all laptops and personal wireless devices and the security or encryption technology applied to each devise; and provide data security training to employees.
The action is notable for three reasons. First, it underscores the fact that even “small” breaches in data security can land a company in hot water. While smaller breaches might not spark interest from the FTC or other federal agencies, state enforcement authorities are more than willing to step in and bring enforcement actions. Second, and relatedly, authorities will always be concerned with health information, no matter how small the breach. The fact that it was both a personal computer and stolen from the hospital (as opposed to being left in an unlocked car) might have mitigated the amount of the penalty but did not preclude enforcement action. Finally, the action highlights the type of security that must be employed around personally identifiable information, especially when it relates to patient information. When it comes to data security, an ounce of prevention is certainly better than a pound of cure.