Hospital Pays $1 Million Penalty For Loss Of Patient Data

Mass General suffers lawsuit, heavy fine when employee leaves records on train

All security professionals fear the consequences of an online hack or of failing a compliance audit. But last week, a Massachusetts hospital was forced to pay $1 million in penalties for what might have been an honest mistake.
According to a
settlement with the Department of Health and Human Services
(PDF), Massachusetts General Hospital has agreed to pay a $1 million resolution for the loss of records containing the personal health information of 192 individuals.
The penalty follows a
lawsuit
filed by two HIV-positive patients whose records were among those lost.
The stiff penalty is the result of an incident that occurred two years ago, when a hospital billing manager took the paper records out of the hospital offices in order to work on them from home. The billing manager mistakenly left the records behind on an MBTA subway train, where they were lost and never recovered.
In addition to the $1 million resolution and the legal fees resulting from the lawsuit, Mass General also agreed to implement a corrective action plan to help secure patient information, which includes instituting new policies on the handling of paper documents, as well as encryption of data on laptops and other portable devices. Mass General must also pay to train its employees on the corrective action plan, and must audit its policies and procedures at least once a year.
While penalties for exposing customer information are not unheard of, most such penalties have been the result of unauthorized access to online data records or careless handling of sensitive information. In most cases, the penalties were exacted after the loss of many more records than the 192 lost in the Mass General incident.
Just this week, in fact,
HSBC received a harsh reprimand from Swiss regulators
over the insider theft of more than 24,000 customer records. HSBC was not asked to pay a penalty.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hospital Pays $1 Million Penalty For Loss Of Patient Data