The Massachusetts Attorney General’s office launched a new online data breach reporting tool. The purpose of this tool is to help breached entities to easily submit breach notifications. As required by the Massachusetts data breach notification law (M.GL.c. 93H), organizations need to notify the Massachusetts attorney general’s office when they experience a breach of personal information. The notification must be submitted as soon as possible and without unnecessary delay. In addition, the incident must be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR). Individuals affected by the breach must also receive notifications
Massachusetts Attorney General Maura Healy explained the risk of identity theft and financial fraud caused by data breaches. Hence, breaches must be reported to law enforcement and consumers immediately. With the new data breach reporting tool, reporting data breaches becomes more efficient. It would allow taking action and sharing information with the public faster. The Mass. Attorney General’s office will upload a database to its website summarizing the data breaches affecting state residents. This webpage will be just like the Department of Health and Human Services’ Office for Civil Rights’ breach portal. There will be a section called “Wall of Shame.” It’s a list of organizations that had breaches indicating the date the breaches occurred and the number of residents impacted by the breach.
The online portal and breach listing is a project of the state that demonstrates how much it is committed to giving residents prompt notification of data breaches. It’s necessary to allow people to take action immediately to mitigate risks. Businesses should also be held accountable for security breaches to make sure something is done to prevent the same occurrence.
Massachusetts was the first state to make the firm Equifax pay for its mistakes. It happened last year when a breach by Equifax prompted Attorney General Healy to file an enforcement action against Equifax seeking civil penalties, restitution, disgorgement of profits, costs and attorney’s fees plus injunctive relief to void harm to state residents.
Massachusetts is one among the few states that exercise the right to pursue financial penalties when healthcare entities violate HIPAA Rules. It will continue to do so and will make sure to make firms address vulnerabilities and implement reasonable safeguards to secure state residents’ PHI.