Massachusetts Attorney General Reaches $140,000 Settlement For Medical Practice Data Privacy Breach


In early January 2013, Massachusetts Attorney General Martha Coakley announced a consent judgment in the amount of $140,000 with the former owners of a medical billing practice as well as several medical practices alleged to have improperly disposed of sensitive medical records and confidential billing information at a public dump.  The records contained information involving more than 67,000 Massachusetts residents, and included names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.  The incident came to light in July 2010, when a Boston Globe photographer observed the records in a pile at the dump while he was disposing his own trash.  The Boston Globe then publicized this illegal dumping of sensitive records.  The owners of the medical billing company at the time maintain that the records were not in an area of the dump open to the public, and were actually in a building awaiting transfer by truck to be destroyed at a site in Maine.

In light of the Boston Globe report, the Attorney General’s office took action and alleged that the defendants violated HIPAA regulations by not instituting adequate safeguards to ensure that personal information of patients was protected, and that they also violated Massachusetts data security regulations by failing to take reasonable measures in selecting and retaining a service provider to maintain appropriate security measures with respect to protecting confidential information.  The medical practices were included in the settlement based on the fact that they did not have business associate agreements with the medical billing practice detailing how the patient information would be kept confidential.  Notably, in 2009, the HITECH Act gave State Attorneys General the authority to bring civil actions on behalf of their state residents for violation of HIPAA (the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, may also be investigating this incident though it has not commented one way or another).

This $140,000 settlement is a vivid reminder of how important it is for companies, no matter their size or line of business, to understand state and federal data privacy laws and the potential ramifications of non-compliance.  Our cyber liability team works with clients to navigate the complex and sometimes byzantine Massachusetts and federal data privacy laws in order to ensure proper compliance and to avoid breaches and the resulting consequences.  Please read our recent article “Businesses Nationwide Continue to Grapple With Burdensome Massachusetts Data Privacy Laws” for a comprehensive overview of the Massachusetts data privacy laws, and give us a call so we can help your business navigate the cyber minefield.  We look forward to talking to you.