UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents.

A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information.

In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names.

It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security laws, the Consumer Protection Act, and the Health Insurance Portability and Accountability Act.

UMass Memorial Health Care cooperated fully with the state attorney general’s investigation into the data breaches and agreed to settle the resulting lawsuit. In addition to paying the $230,000 fine, UMass Memorial Health Care will ensure that employee background checks are conducted prior to hiring new staff, all employees will receive further training on the correct handling of PHI, employee access to patient health information will be limited, risk analyses will be conducted to identify potential security issues, and any issues that are found will be subjected to a HIPAA-compliant risk management process. UMass Memorial Health Care will also ensure proper employee discipline and any suspected cases of improper accessing of ePHI will be investigated promptly.

Both UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., are also required to hire an independent firm to conduct a thorough review of data security policies and procedures and must report back to the Mass attorney general’s office on the findings of those reviews.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said Maura Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

“In the four years since [these breaches] took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”

State Attorneys General Pick Up the Slack in HIPAA Enforcement

After two years of increased enforcement of HIPAA Rules the HHS’ Office for Civil Rights has eased up on settlements and civil monetary penalties to resolve HIPAA violations, with only five settlements reached in 2018 and one civil monetary penalty issued. While OCR has eased up on financial penalties for HIPAA violations, state attorneys general fines are on track to make 2018 a record year for HIPAA enforcement.

UMass Memorial Health Care is the fifth healthcare organization to settle a HIPAA violation case with a state attorney general in 2018, joining The Arc of Erie County ($200,000), EmblemHealth ($575,000), and Aetna ($1,150,000) which have all been fined by the New York AG this year, and Virtua Medical Group which settled HIPAA violations with the New Jersey AG for $417,816 in April.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.