Infected Droid Apps Create Havoc
Report: Health Care Industry Privacy, Security, and Data Breaches

Mass General Pays $1 Million Fine For Data Breach

Last week, the Department of Health and Human Services (HHS) announced that it had reached a settlement with the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General). Mass General agreed to pay the U.S. Government $1 million:

"... to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule..."

The "potential violation" is from a March 2009 data breach which included:

"... the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS... Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule."

The impermissible disclosure of PHI included the loss of:

  • Documents containing patient schedules with names and medical record numbers for 192 patients,
  • Billing forms containing the name, date of birth, medical record number, health insurer, policy number, diagnosis, and name of providers for 66 of the 192 patients

A Mass General employee left the records on a subway train while commuting to work. The records were never recovered. As part of the settlement, Mass General signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

jeremy

Wow. That's an awful amount of money.

The comments to this entry are closed.