UMass Memorial Medical Group Inc.

Another Attorney General HIPAA fine has been levied, this time for data breaches that have left thousands of Massachusetts residents’ personal data exposed.

UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. will pay a total of $230,000 to the state of Massachusetts to resolve claims that two separate healthcare data breaches exposed the protected health information (PHI) of more than 15,000 Massachusetts residents.

According to the lawsuit filed by Massachusetts Attorney General Maura Healey, the facilities received complaints that two employees separately accessed patients’ PHI for fraudulent purposes, such as opening cell phone and credit card accounts. The lawsuit alleged that the companies did not properly investigate the claims, discipline the employees involved in a timely manner, nor take any other action to safeguard the breached information.

Information exposed included patients’ names, addresses, Social Security numbers, clinical information, and health insurance information.

By failing to properly protect PHI, UMass Memorial medical entities violated HIPAA, the Consumer Protection Act, and the Massachusetts Data Security Law, according to Attorney General Healey.

“Massachusetts residents rely on their healthcare providers to keep private health information safe and secure,” Massachusetts Attorney General Maura Healey said in a statement on September 20, 2018. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

In addition to the monetary agreement, UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. will also conduct employee background checks and appropriately discipline employees. They will train employees to handle PHI properly, limit employee access to PHI, as well as identify and promptly rectify data security issues. Improper access to patient information will be immediately investigated.

A third-party firm will be hired to conduct a review of data security policies and procedures, which will be provided to the Attorney General.

Rough Week for Massachusetts Healthcare

This Massachusetts Attorney General HIPAA fine follows an announcement made on September 20, when the Office for Civil Rights (OCR) levied almost $1 million in HIPAA fines against three hospitals in the Boston area for failing to protect PHI during filming of ABC’s documentary series “Save My Life: Boston Trauma.”

Patient privacy was compromised at Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) when they invited film crews for “Save My Life: Boston Trauma” on the premises without proper HIPAA authorization from patients.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said OCR Director Roger Severino. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

BMC paid $100,000, BWH paid $384,000, and MGH paid $515,000 in HIPAA fines. Additionally, each hospital will implement a corrective action plan will provide workforce training and include OCR’s guidance with regards to film and media.

According to the OCR guidance: “Healthcare providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”

Additionally, Dr. Rita Luthra, a Springfield, Massachusetts-based gynecologist was sentenced to one year of probation for a criminal HIPAA violation and obstruction of a criminal healthcare investigation on September 19, 2018 after being convicted by a jury in April. Federal prosecutors sought a two-year prison sentence and a $40,000 fine, according to reports.

Dr. Luthra was convicted of allowing a pharmaceutical sales representative to access patient records as well as lying to federal investigators. Dr. Luthra’s attorney’s motion to overturn the conviction was denied by US District Judge Mark G. Mastrioianni.

Dr. Luthra’s work in Springfield’s impoverished North End led Judge Mastroianni to opt for a lighter sentence, the report stated. The judge did, however, reject the defense’s request that Dr. Luthra perform community service in lieu of jail time.

Attorney General HIPAA Fines on the Rise

This Massachusetts Attorney General HIPAA fine is just the most recent example in a new trend of cases where HIPAA fines have been levied at the state level. Historically, HIPAA fines have been almost exclusively levied at the federal level, after an investigation into HIPAA complaints made to OCR.

This new trend in state Attorney General HIPAA fines means that healthcare providers and healthcare vendors are more at risk than ever before of a HIPAA violation leading to an investigation from state or federal auditors. 2018 has now become a record-setting year for HIPAA violations, with almost $25 million in fines this year alone. The best way to protect against breaches and fines is with a total compliance solution that helps you address the full extent of the law within your business

HIPAA Trust Badge

Protect Against HIPAA Fines

Compliant organizations don’t get fined. Become compliant today!