HIPAA Blog

[ Friday, May 25, 2012 ]

South Shore Update: As I previously mentioned, a Boston-area hospital suffered a data breach when it sent a bunch of data tapes to a vendor to erase and resell them. The vendor subcontracted the work out, and mailed the tapes in 3 boxes; only 1 box arrived. The data on the tapes was not encrypted.

Nobody knows where the tapes ended up, and there does not appear to have been any improper use of the data on the tapes. In all likelihood, they are in a landfill somewhere. And this might not even be a reportable HIPAA breach under the data breach reporting requirements. But it is a breach under Massachusetts law.

So, enter Martha Coakley, the Massachusetts attorney general and former US Senate candidate. The hospital, which did nothing wrong other than hiring what turned out to be the wrong vendor, and suffered an incident for which there is not proof that any harm was caused, and spent $275,000 on additional security measures after the breach occurred, has now been fined a total of $750,000* by the Commonwealth of Massachusetts.

Why the asterisk? The hospital gets credit for the $275,000 already spent, so the fine is actually only $475,000. Sort of. Actually, of the $475,000, $225,000 is to go to a (slush) fund for the AG's office. $250,000 is the actual fine.

The good news is in the course of spending the $275,000, the hospital has apparently moved to a full-level encryption regime. Remember, encryption is not required. However, it's a golden ticket from having to report a HIPAA breach, and in states like Massachusetts and Nevada, it's a free pass from state law issues as well. That may be the real lesson here -- consider encryption.

Jeff [8:54 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template