HIPAA Violations Legal Actions Settled with General Children’s Hospital

by | Sep 19, 2017

Less than one month after Boston’s Beth Israel Deaconess Medical Center reached a settlement with the Massachusetts Attorney General for HIPAA violations after a laptop was stolen containing unencrypted PHI, Boston Children’s Hospital has been fined for failing to secure electronic patient health records.

According to the Security Rule, all entities covered by HIPAA must ensure appropriate controls are implemented to protect ePHI. Attorney Generals are allowed to take action against HIPAA covered entities within their jurisdictions following amendments to HIPAA regulations, and the Mass. Attorney General’s office is vigorously chasing healthcare providers that violate data privacy and security laws.

Unlike the Beth Israel data breach, the information exposed in the BCH breach was contained in an email attachment. Because the data was not kept on the hard drive the hospital was unable to determine whether it was actually accessible through the laptop. The physician in question though he had taken the appropriate steps to remove PHI from the laptop.

The theft of the laptop on March 25 was thought to have potentially exposed only a limited amount of data, with up to 2,159 patients and parents affected. No Social Security numbers were included in the data, although names and medical record numbers, surgery dates, diagnoses, treatments, procedures and dates of birth were among in the data.

BCH had refreshed its policies to allow for the changes to HIPAA brought about by the Privacy and Security Rules, and it was company policy to encrypt the data on all laptops, however in this case no data encryption was in place.

The level of danger faced by the potential victims may also have been underestimated. The patients were warned of the potential disclosure of medical records, although since no Social Security numbers or financial details were in the data set, it did not offer damage mitigation services to protect them from identity theft.

According to State law, any data breach involving personally identifiable information and medical records is labelled identity theft and identity theft protection services should be supplied to the victims. Personally identifiable includes a surname and first name or initial, together with a Driver’s license number, State ID Card number, bank account number, debit or credit card number or Social Security number.

The fine of $40,000 was not harsh; Beth Israel had to settle for $100,000 just a few weeks previously. The lower penalty takes into account the actions taken by the healthcare provider to protect the data and the Attorney General did recognize that the physician in question believed he had taken sufficient steps to protect PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy