The Massachusetts attorney general fined UMass Memorial Health Care the amount of $230,000 for its HIPAA violations with respect to two data breaches which compromised the protected health information (PHI) of over 15,000 state locals.
Attorney general Maura Healey took legal action against UMass Memorial Health Care for the alleged failure of UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc. to employ adequate safety measures to secure patients’ sensitive health data. Unauthorized employees were able to access and copy patient health data in two distinct incidents. The patient data were used to apply for cell phone and credit card accounts under the names of the victims.
Allegedly, UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. knew about the employee misconduct, but they failed to appropriately look into the complaints associated with the data breaches and deal with the employees involved. They also did not properly safeguard patients’ PHI. Their failures constitute a violation of the Health Insurance Portability and Accountability Act, Massachusetts data security laws and the Consumer Protection Act.
As a result of the lawsuit, UMass Memorial Health Care paid the state attorney general office $230,000 fine. In addition, UMass Memorial Health Care will undertake the following security controls:
- Conduct background checks prior to employing new personnel.
- Provide all employees additional training on the proper handling of PHI.
- Limit employee access to patient health data will be limited
- Conduct risk analyses to track down potential security problems and any matter that will be subjected to a
- HIPAA-compliant risk management process.
- Ensure appropriate employee discipline
- Investigate promptly any suspected incidents of inappropriate accessing of ePHI
UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc., are also mandated to employ an independent company that will carry out a comprehensive evaluation of their data security policies and procedures. The results of the evaluation must be reported to the Mass attorney general’s office.
Attorney general Maura Healey stated that the actions required of UMass Memorial will help to stop breaches from happening again, so Massachusetts residents can be sure that their private health data are safe and secure. UMass Memorial Health Care is the fifth healthcare company in 2018 that settled a HIPAA violation case with a state attorney general. The Arc of Erie County ($200,000), Aetna ($1,150,000) and EmblemHealth ($575,000) were the other companies fined by the New York AG this year while Virtua Medical Group paid the New Jersey AG $417,816 to settle its HIPAA violations in April.