Dedicated to providing the latest
HIPAA compliance news

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

Share this article on:

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On