Beth Israel Deaconess Medical Center has agreed to pay a $100,000 fine and improve the security of patient information after a 2012 data breach left thousands of patients’ details vulnerable.
The breach happened when an “unauthorized person” stole an unencrypted laptop from a doctor’s office. The computer contained health or personal information, such as names and Social Security numbers, of nearly 4,000 patients and employees.
Attorney General Martha Coakley’s office said doctors at Beth Israel Deaconess failed to follow policies to protect patient information. The hospital also failed to notify patients about the breach, as required by law, for several months, Coakley said.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Encryption is a process of scrambling information so it can’t be read by unauthorized people.
Coakley reached settlements over similar data privacy violations with South Shore Hospital in Weymouth in 2012 and Women and Infants Hospital in Providence earlier this year. South Shore was fined $750,000, and Women and Infants had to pay $150,000.