McLean Hospital Issued $75,000 Fine by Attorney General for 2015 Data Breach

Massachusetts Attorney General issued a $75,000 fine to McLean Hospital over a 2015 HIPAA violation.

McLean Hospital, a psychiatric hospital and affiliate of Harvard Medical School, was issued the fine by Massachusetts Attorney General Maura Healey for a violation of the Health Insurance Portability and Accountability Act (HIPAA) in 2015. The violation pertained to a data breach experienced by the hospital that compromised the integrity of the protected health information (PHI) of approximately 1,500 patients.

The breach occurred through a former employee of the facility taking 8 backup tapes containing sensitive patient data back to their home. The employee had permission to remove the tapes from the facility, despite the nature of the information stored on them. The employee’s contract with the hospital was terminated in May 2015. The hospital attempted to recover all 8 of the backup tapes, but were only successful in obtaining half of them.

The lost tapes had no encryption, and therefore the PHI contained on them could be easily accessed by an unauthorised individual. The PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center were stored on the tapes. The data included information such as names, social security numbers, diagnoses, and family histories. It is thought that no financial information was compromised.

The state AG’s office launched an investigation into the data breach. The investigation revealed there were significant gaps in employee training programs pertaining to secure data handling. Healey’s office claimed that McLean Hospital had not identified, assessed, and planned for security risks such as those encountered when the tapes were lost.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

The investigation revealed several HIPAA violations conducted by the hospital in the aftermath of the breach. The breach was not reported to the appropriate authorities in a timely manner, in violation of HIPAA’s Breach Notification Rule. Furthermore, the hospital’s failure to encrypt PHI stored on the tapes, or use a suitable alternative, was a major HIPAA violation and placed the data of 1,500 individuals at risk. HIPAA’s Security Rule dictates that appropriate administrative, physical, and technical safeguards should be in place in order to protect the integrity of PHI.

Security experts recommend that backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered in a timely manner. If physical copies of PHI are backed up and removed from the main facility by authorised employees, then appropriate security controls, such as encryption, should be put in place to prevent those individuals from accessing the data. These measures also ensure that in the event of loss or theft of devices, PHI will not be exposed.

HIPAA Rules do not explicitly mention encryption as a requirement for data protection. However, if an organisation decides to use an alternative to encryption, the decision must be documented and an alternative safeguard must be in place to protect PHI from unauthorised access.

McLean Hospital has agreed to review and enhance its privacy and security practices. These measures include implementing a written information security program, training new and existing employees on privacy and security of personal health information and their responsibilities under HIPAA, and creating an inventory of all portable devices containing ePHI. McLean hospital stated that electronic PHI will be protected by encryption within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“Since this incident, McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation,” a spokesperson of the hospital said. “The agreement with the attorney general represents a continuation of those efforts. McLean Hospital remains deeply committed to protecting the privacy and security of all of the information that it collects as part of its mission.” 

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.