HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.