St. Elizabeth’s Medical Center will pay $218,400 in a settlement with the federal government for failing to comply with rules to safeguard private patient information.
The Brighton hospital, owned by Steward Health Care System, also must adopt a “robust corrective action plan” to comply with federal laws in the future, the US Department of Health and Human Services said in a statement.
The settlement concerns violations of the Health Insurance Portability and Accountability Act, commonly known as HIPAA, which regulates the privacy and security of patient information. It comes after federal regulators investigated a 2012 complaint that employees at St. Elizabeth’s used an Internet-based document sharing program to store health information of at least 498 patients.
In August 2014, St. Elizabeth’s also reported a data breach involving information about 595 patients on a former employee’s personal laptop and flash drive.
“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications,” Jocelyn Samuels, director of the HHS’s Office for Civil Rights, said in a statement. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
Brooke Thurston, a spokeswoman for Steward, St. Elizabeth’s parent company, said there are no indications that any patient data was viewed or misused because of the 2012 and 2014 incidents.
“All patients that needed to be notified were contacted back when the events occurred,” Thurston said. “St. Elizabeth’s has taken steps to ensure this will not happen again.”
Several other large health systems have experienced data breaches or mistakenly exposed private patient data. They include Beth Israel Deaconess Medical Center, Boston Children’s Hospital, and Partners HealthCare.