Menu
Hospital Security

Boston Hospital Fined $100,000 for Data Breach

The consent judgment alleges the facility failed to protect the personal and protected health information of nearly 4,000 patients and employees.

Beth Israel Deaconess Medical Center (BIDMC) has agreed to pay a total of $100,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information.

The consent judgment, entered Thursday in Suffolk Superior Court, alleges the facility failed to protect the personal and protected health information of nearly 4,000 patients and employees.

In May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

The laptop contained the information of 3,796 patients and employees as well as the personal information of 194 Massachusetts residents, of which 192 were BIDMC employees. Information put at risk by the data breach included names, social security numbers and medical information.

Although the hospital’s policy and applicable law required employees to encrypt and physically secure laptops containing personal information and protected health information, the physician and members of his staff were not following these policies. BIDMC did not notify patients about the data breach as required under state and federal data breach notification laws until August 2012.

Under the terms of its consent judgment, BIDMC has agreed to pay $100,000, including a $70,000 civil penalty, $15,000 for attorney’s fees and costs, and a payment of $15,000 to a fund administered by the Attorney General’s Office for educational programs concerning the protection of personal information and protected health information.

BIDMC will also take steps to ensure future compliance with state and federal data security laws and regulations, including properly tracking all portable devices, such as laptops, encrypting and physically securing those portable devices, and training its workforce on the proper handling of personal information and protected health information. BIDMC also performed or agreed to perform a review and audit of security measures and to take corrective measures recommended in the review.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Tagged with: Access Control Data Breaches HIPAA Locks

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo

Recommended For You

Student and Staff Safety: Addressing the Significant Rise in Mental Health Needs and Violence
Student and Staff Safety: Addressing the Significant Rise in Mental Health Needs and Violence

In this webinar, attendees will learn the observable behaviors people exhibit as they head down a path of violence so we can help prevent the preventable.

Beyond Threat Assessment: Managing Threats with Appropriate Follow-up, Monitoring & Training
Beyond Threat Assessment: Managing Threats with Appropriate Follow-up, Monitoring & Training

This discussion will help participants analyze, understand, and assess their own program effectiveness.

Latest Quizzes

How Should These Clery Act Crimes Be Classified in Your ASR?
Mental Health in America: Test Your Awareness with This Quiz
Test Your Hospital Safety and Security Knowledge with These 9 Questions