- New Hampshire-based Multi-State Billing Services (MSB) must pay $100,000 and improve its security practices per a consent judgment from the Massachusetts attorney general’s office. The settlement stems from a Medicaid data breach where 2,600 children had some of their information exposed.
“This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others,” Massachusetts Attorney General Maura Healey said in a statement.
MSB reported that an unencrypted laptop was stolen, which contained names, Social Security numbers, Medicaid identification numbers, and dates of birth in some cases.
At the time of the breach, the company processed Medicaid billing information at the following Massachusetts school districts: Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.
MSB did not comply with state law that requires “reasonable steps to safeguard the personal information from unauthorized access or use,” the Attorney General Office press release explained.
“Specifically, the complaint alleges that the company failed to develop, implement, and maintain a written and comprehensive information security program, train members of its workforce on how to reasonably safeguard personal information, or maintain a computer security system that ensured that personal information stored on laptop computers or other portable devices was encrypted,” the statement reads.
MSB must also work toward developing, implementing, and maintaining an information security program, along with reviewing and updating current policies and procedures for keeping data secure. Staff members should also be properly trained, according to the settlement.
Third party organizations that work with healthcare covered entities must ensure that they adhere to all federal and state laws when it comes to maintaining data security. Proper breach notification and current business associate agreements are essential, and a lack of either could lead to heavier fines.
In June 2017, CoPilot Provider Support Services, Inc. agreed to a $130,000 settlement with New York. The organization provides healthcare support services and reportedly waited over one year to notify individuals that a data breach had exposed 221,178 patient records.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” New York Attorney General Eric Schneiderman said in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
CoPilot said it learned on December 23, 2015 that one of its databases was accessed by an unauthorized individual. The organization said it delayed notification because of an ongoing law enforcement investigation.
“General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating,” the New York Attorney General office stated.
Not having a business associate agreement in place helped lead to an OCR HIPAA settlement in April 2017 for the Center for Children’s Digestive Health (CCDH).
CCDH agreed to pay $31,000 and enter into a corrective action plan.
OCR conducted a compliance review at CCDH in August 2015 after an investigation of a CCDH business associate, FileFax, Inc. The investigation revealed that the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax's satisfactory assurance.”
“A process for assessing current and future business relationships to determine whether each relationship is with a ‘business associate; as that term is defined under the HIPAA Rules,” must also be created, OCR said in the corrective action plan.