Beth Israel Deaconess Medical Center agreed to pay $100,000 to settle a complaint by the Massachusetts attorney general’s office that its lax data security led to the theft of personal information of about 4,000 patients and employees.
In May 2012, a physician’s unattended laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and Beth Israel employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents. The attorney general’s office argued the hospital’s lack of security and failure to encrypt patient data was against the law.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” said Attorney General Martha Coakley.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Beth Israel is not the first hospital to be penalized for poor data security by Coakley’s office. Earlier this year, Women and Infants Hospital of Rhode Island agreed to pay $150,000, and South Shore Hospital settled a suit by the Attorney General for $750,000 in 2012.