Beth Israel Deaconess Medical Center has agreed to pay a $100,000 fine for a patient data breach involving 4,000 patients and employees, Boston Globe reports. The fine stems from a stolen physician’s laptop back in May 2012 that contained health information of 3,796 patients and Beth Israel employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents.
According to the Massachusetts attorney general’s office, the hospital’s lack of security and failure to encrypt patient data was against the law. Since the incident occurred in 2012, the hospital has improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies. Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted,” said Dr. John Halamka, CIO at Beth Israel Deaconess in a statement (Jack Newsham, Boston Globe, 11/21/14).
Data breaches remain a daily occurrence in the US healthcare market as a whole. Since 2009 it has been a federal requirement that large healthcare breaches affecting 500 or more patient records be reported to the Secretary of Health and Human Services: to date breaches accounting for more than 38 million patient records have been reported in this way.