Boston Children’s Hospital has reached an agreement with Massachusetts Attorney General Martha Coakley to pay $40,000 and improve the security of protected health information following the theft of an unencrypted laptop.

The fine and imposition of corrective actions comes a month after Beth Israel Deaconess Medical Center, also in Boston, agreed to pay $100,000 and make security improvements following the theft of a physician’s laptop from an office in May 2012. Further, in 2012 Coakley slapped South Shore Hospital in Weymouth with a $750,000 fine following a breach that affected about 800,000 patients. Coakley is one of several state attorneys general who have targeted protected health information breaches since changes to HIPAA gave AGs jurisdiction to prosecute.

In the Boston Children’s Hospital case, 2,159 patients or their parents were notified in May 2012 after the laptop was stolen while a hospital physician was attending a conference in Buenos Aires. A file containing patient information had been sent to the laptop as an e-mail attachment, but was not saved to the hard drive. Hospital staff could not determine if the file was accessible on the laptop.

No financial information or Social Security numbers were in the file, but it included patient names, medical record numbers, dates of birth, diagnosis, procedures and dates of surgery. The theft occurred on March 25 but the hospital did not learn of it until April 9.

In announcing the fine, which is modest for these types of actions, Coakley acknowledged that the physician believed he took adequate steps to remove the PHI from the laptop. “However, the information from the email remained on the laptop and despite BCH’s written policies, encryption software was not installed prior to the incident,” according to a statement from Coakley.

The hospital in 2012 did not provide credit and identity theft protection services, since no financial information or Social Security numbers were compromised, a hospital spokesperson at the time told Health Data Management. Under a Massachusetts law, a breach is considered identity theft if it involves a first and last name or first initial and last name, plus one or more of a Social Security number, driver’s license number, state ID card number, or financial account, debit or credit card number.

As with the other fines for breaches of PHI in Massachusetts, portions of the total monetary penalty are split. Boston Children’s will pay a $30,000 civil penalty and $10,000 will go to an AG fund for educational programs on protecting personal and health information.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access