- Belmont, Massachusetts-based McLean Hospital settled with the state over its 2015 data breach, agreeing to implement new security and training and pay $75,000.
The settlement will resolve claims the psychiatric hospital exposed the data of 1,500 individuals when it lost four, unencrypted backup devices, containing personal and health information of Harvard Brain Tissue Resource Center employees, patients, and deceased donors, according to Attorney General Maura Healy.
In the complaint, Healey alleged McLean routinely allowed an employee to take home eight unencrypted backup tapes with both demographic and clinical information from the Harvard Brain Tissue Resource Center.
After the employee was terminated in May 2015, she only returned four of those backups, and the hospital was unable to recover the other discs.
The complaint also alleged McLean failed to identify, assess, and plan for security risks, such as properly training employees, reporting the lost backups in a timely fashion, and encrypting portable devices containing patient data.
The Attorney General alleged the hospital violated the Massachusetts Data Security Law, Consumer Protection Law, and HIPAA, by failing to properly protect patient data.
“Hospitals must take measures to protect the private information of their patients,” Healey said in a statement. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”
As part of the state settlement, McLean is required to implement and maintain a written security program and provide mandatory data security training to all employees. Further, within 60 days, McLean must encrypt all electronic personal and health data on all portable devices, in addition to creating an inventory to keep track of data storage.
The hospital also agreed to a third-party audit of Harvard Brain Tissue Resource Center’s use of portable devices containing patient data and must provide the audit results and any planned corrective actions to the Massachusetts Attorney General’s office.
State enforcement actions have become commonplace in recent years, due to the increase in digital health data and breaches. In recent months, New Jersey settled with two healthcare vendors for past data breaches, EmblemHealth and the vendor behind the 2016 Virtua Healthcare breach.