According to a settlement with the Department of Health and Human Services (PDF), Massachusetts General Hospital has agreed to pay a $1 million "resolution" for the loss of records containing the personal health information of 192 individuals.
The penalty follows a lawsuit filed by two HIV-positive patients whose records were among those lost.
The stiff penalty is the result of an incident that occurred two years ago, when a hospital billing manager took the paper records out of the hospital offices in order to work on them from home. The billing manager mistakenly left the records behind on an MBTA subway train, where they were lost and never recovered.
In addition to the $1 million resolution and the legal fees resulting from the lawsuit, Mass General also agreed to implement a "corrective action plan" to help secure patient information, which includes instituting new policies on the handling of paper documents, as well as encryption of data on laptops and other portable devices. Mass General must also pay to train its employees on the corrective action plan, and must audit its policies and procedures at least once a year.
While penalties for exposing customer information are not unheard of, most such penalties have been the result of unauthorized access to online data records or careless handling of sensitive information. In most cases, the penalties were exacted after the loss of many more records than the 192 lost in the Mass General incident.
Just this week, in fact, HSBC received a harsh reprimand from Swiss regulators over the insider theft of more than 24,000 customer records. HSBC was not asked to pay a penalty.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.