A major breach at Beth Israel Deaconess Medical Center in Boston after a physician’s personal laptop was stolen in 2012 is costing the hospital more money now that the Massachusetts Office of Attorney General has levied a $100,000 fine for failure to encrypt the device.

Changes to the HIPAA privacy and security rules several years ago gave state attorneys general jurisdiction to prosecute breaches of protected health information and several states—particularly California, Connecticut, and Massachusetts—have issued fines.

In 2012, the unencrypted laptop was stolen from the physician’s office on May 22, but patients were not notified until August. Under HIPAA, notifications must go out within 60 days of a breach being discovered. “The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business,” according to a statement from Attorney General Martha Coakley.

The laptop contained summaries of medical information for administrative purposes for nearly 3,800 patients and employees, as well as Social Security numbers for 194 state residents including 192 employees. The hospital offered paid credit and identity theft protection services.

Since the incident, employees must bring their personal computing devices in to be encrypted and to annually verify that they remain encrypted.

Under a consent judgment with the state, BIDMC will pay a $70,000 civil penalty, $15,000 to cover attorney costs and $15,000 to an Attorney General fund for educational programs on protecting personal and medical information.

The fine against BIDMC pales in comparison with a Massachusetts Attorney General fine of $750,000 assessed in 2012 against South Shore Hospital in Weymouth, but that breach, affecting about 800,000 patients, was a lot bigger.

Under that agreement, South Shore’s fine was set at $750,000 but the hospital was credited $275,000 as recognition for investments to improve security. The hospital paid a $250,000 regulatory enforcement fee and made a $225,000 contribution to a data security education fund.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access