A $75,000 HIPAA violation fine has been issued to McLean Hospital by Massachusetts Attorney General Maura Healey over a 2015 data breach. The breach exposed the protected health information (PHI) of approximately 1,500 of their patients.
The psychiatric hospital in Belmont, MA, allowed an employee to take 8 backup tapes home on a regular basis. The employee was terminated in May 2015. However, following the termination, McLean Hospital was only able to recover four of the backup tapes. These backup tapes contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Centre, and were unencrypted.
The lost backup tapes included PHI such as names, Social Security numbers, medical diagnoses, and family histories. Additionally, the state Attorney General’s investigation revealed there had been training failures related to McLean Hospital’s employees. The hospital had not identified, assessed, and planned for security risks. The time delay in reporting the lost tapes was also a matter of concern and the hospital had also failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.
In a statement released by AG Maura Healey, she noted “Hospitals must take measures to protect the private information of their patients. This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”
In the event of a disaster, it must be possible for a patients’ PHI to be recovered. In order to ensure this, backups of sensitive data should be made regularly. In the case of McLean Hospital, if physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data. It also must be ensured PHI will not be exposed in the event of loss or theft of these physical copies. Currently, HIPAA does not demand the use of encryption on PHI. However, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers a similar level of security.
Following on from the investigation’s findings, McLean Hospital has agreed to enhance its privacy and security practices. Included in this privacy and security enhancement practices will be a written information security programme, a new training programme provided for new and existing employees on privacy and security of personal health information, an inventory system to keep track of all portable devices containing ePHI and an encryption of all electronic PHI within 60 days.
A third-party audit of the Harvard Brain Tissue Resource Centre has also been agreed to by McLean to assess how it handles portable devices containing personal and health information.
In a statement issued to the media by McLean Hospital, they stated “McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts.”