McLean Hospital to Pay $75,000 HIPAA Violation Fine

Massachusetts Attorney General Maura Healey has fined McLean Hospital $75,000 for a data breach in 2015 that exposed approximately 1,500 patients’ protected health information (PHI).

McLean Hospital is a psychiatric hospital located in Belmont, MA. The hospital permitted an employee to take 8 backup tapes home on a regular basis. When the employee was dismissed in May 2015, only four backup tapes were recovered by McLean Hospital. The unencrypted backup tapes contained the PHI of about 1,500 patients, staff and Harvard Brain Tissue Resource Center tissue donors.

The missing backup tapes contained clinical and demographic data including names, healthcare diagnoses, family histories and Social Security numbers. Aside from the PHI exposure, the state AG’s investigation of McLean Hospital found failures in

  • Employee training
  • Identifying, assessing and planning for security risks
  • Reporting the loss of the tapes within a reasonable time frame
  • Encrypting the PHI or using an alternative measure to safeguard PHI contained on portable devices

Backups of sensitive information need to be made on a regular basis to make sure that, in case of a disaster, patients’ PHI is recoverable. If back-ups are taken home by employees, proper security controls must be used to prevent inappropriate access and to ensure there is no PHI exposure in the event of the tapes being lost or stolen. While HIPAA does not demand encryption for PHI, an alternative measure must be used in its place that offers an equivalent level of protection if the decision is taken not to encrypt data.

Besides the financial penalty, McLean Hospital agreed to improve its privacy and security procedures. A written data security program is going to be executed and followed. There will be training for new and existing employees on privacy and security of PHI, and an inventory will be created for all portable devices containing ePHI. Encryption will also be implemented on all electronic devices containing ePHI within 60 days.

McLean also agreed to have Harvard Brain Tissue Resource Center audited by a third-party to evaluate the management of portable devices that contain personal and health data.

This is the second time that Massachusetts has issued a HIPAA violation penalty in 2018. UMass Memorial Medical Center paid $230,000 in September to resolve HIPAA violations discovered during a breach investigation.