Massachusetts hospital data breach settlement shows health care providers are not immune to consequences
Somewhat lost in the conflagration over Flame and other sexy security news this week, South Shore Hospital agreed to a $750,000 settlement with Massachusetts Attorney General’s office over the loss of 473 unencrypted backup tapes containing the names, social security numbers, financial account numbers and medical diagnoses of 800,000 people.
Data breaches get a lot of attention, but data breach settlements, not so much. The big costs of data breaches, according to Ponemon Institute reports, are customer notification and follow-up services, such as a year of free credit reports, investigation, remediation (how do we reduce the risk of this happening again), and, the big one, albeit a tough one to quantify — customer churn. That’s what drives the average cost of a data breach to $5.5 million in 2011 (and that was a lot lower than 2010). Punitive settlements don’t figure as often.
The key factor here is that the HITECH Act, part of the American Recovery and Reinvestment Act (ARRA), more commonly known as the Stimulus Bill, in February 2009, put some teeth into HIPAA enforcement. As part of the mandate to convert health records to electronic format, the act required public disclosure of health information breaches, which accounts, at least in part, for the spate of health record data breaches we’ve been witnessing. HIPAA violations very rarely received any serious punishment, and security in the health sector continues to lag.
But the HITECH Act also gave states’ attorneys general the right to bring suit for alleged HIPAA violations, so institutions covered under HIPAA now had to be concerned about zealous state officials in addition to the U.S. Department of Health and Human Services (HHS). We’ve seen some significant action from both the federal and state side. In 2011, for example, in an agreement with HHS, Massachusetts General Hospital agreed to pay $1,000,000 to settle potential HIPAA violations stemming from the loss of loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
In state actions by Connecticut and Vermont, insurance provider Health Net paid more than $300,000 in a settlement over loss of an unencrypted drive that exposed health records of 1.5 million people.
It’s too bad the State of Utah, which lost medical claims of 780,000 residents to hackers, can’t bring suit against itself.
In this latest settlement, South Shore Hospital has to pay a $250,000 civil penalty and $225,000 that the attorney general’s office will use towards an information protection educational fund. Another $275,000 has to be spent to beef up the hospital’s information security measures, though one would assume (and we know what happens we assume) that the hospital has already taken appropriate measures since February 2010, when all but one of the tapes disappeared after they were shipped off to be erased.
A number of recent health records breaches have involved lost or stolen backup media or laptops. These types of cases are a little maddening, in that we’ll probably never know if the sensitive information was simply erased, remains dormant on whatever media holds it, or was used to commit fraud. What’s more, health records are particularly sensitive. The potential violation of patient privacy can be as or even more devastating than mere fraud.