In March 2010, Massachusetts’ new data security regulations took effect. In January 2013, the Massachusetts Attorney General settled lawsuits filed against five entities for having mishandled and having improperly disposed of medical records containing protected health information (“PHI”). The amount of the $140,000 settlement included civil penalties, attorneys’ fees, and an allocated amount for a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
According to an article by attorney Amy Crafts, “Massachusetts AGO Enters into Another Settlement for Data Security Violations,” the medical records contained information relating to more than 67,000 residents and included names, Social Security numbers, health insurance information, and medical diagnoses that were not redacted or destroyed before they were discarded at a local transfer station. The five entities included Goldthwait Associates, which provided medical billing services, and four pathology groups that worked with Massachusetts hospitals and medical centers.
The Massachusetts Attorney General’s Office (“AGO”) alleged that Goldthwait Associates had mishandled and improperly disposed of medical records containing PHI that it had received from the pathology groups. In addition, the AGO alleged that the four pathology groups had failed to have appropriate safeguards in place to protect the personal information that they had provided to Goldthwait Associates and had not taken reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information. The complaint alleged that Goldthwait Associates had violated the Massachusetts Consumer Protection Act, M.G.L. c. 93A; the Massachusetts Data Disposal and Destruction Act, M.G.L. c. 93I; and the Massachusetts Security Breach Act and its corresponding regulations, M.G.L. c. 93H/201 CMR 17.00. In addition, the complaint alleged that the four pathology groups had violated the Massachusetts Security Breach Act and its corresponding regulations, M.G.L. c. 93H/201 CMR 17.00; and HIPAA Privacy and Security Rules, 45 C.F.R. §§ 160 to 164.
The complaint alleged that Goldthwait’s “failure to institute and implement reasonable data security measures to protect the confidentiality of protected health and personal information entrusted to Goldthwait, and instead allow an untrained third-party to dispose of the documents at a dump, resulted in a serious violation of patient privacy and violations of state consumer protection and data security laws.”
