Hospital Pays $1 Million Penalty For Loss Of Patient Data

Mass General suffers lawsuit, heavy fine when employee leaves records on train

2 Min Read

All security professionals fear the consequences of an online hack or of failing a compliance audit. But last week, a Massachusetts hospital was forced to pay $1 million in penalties for what might have been an honest mistake.

According to a settlement with the Department of Health and Human Services (PDF), Massachusetts General Hospital has agreed to pay a $1 million "resolution" for the loss of records containing the personal health information of 192 individuals.

The penalty follows a lawsuit filed by two HIV-positive patients whose records were among those lost.

The stiff penalty is the result of an incident that occurred two years ago, when a hospital billing manager took the paper records out of the hospital offices in order to work on them from home. The billing manager mistakenly left the records behind on an MBTA subway train, where they were lost and never recovered.

In addition to the $1 million resolution and the legal fees resulting from the lawsuit, Mass General also agreed to implement a "corrective action plan" to help secure patient information, which includes instituting new policies on the handling of paper documents, as well as encryption of data on laptops and other portable devices. Mass General must also pay to train its employees on the corrective action plan, and must audit its policies and procedures at least once a year.

While penalties for exposing customer information are not unheard of, most such penalties have been the result of unauthorized access to online data records or careless handling of sensitive information. In most cases, the penalties were exacted after the loss of many more records than the 192 lost in the Mass General incident.

Just this week, in fact, HSBC received a harsh reprimand from Swiss regulators over the insider theft of more than 24,000 customer records. HSBC was not asked to pay a penalty.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights