Hospital asked to pay $100,000 as penalty for security breach
Beth Israel Deaconess Medical Center has agreed to pay a $100,000 fine and improve the security of patient information after a 2012 data breach left thousands of patients’ details vulnerable. The breach happened when an “unauthorized person” stole an unencrypted laptop from a doctor’s office. The computer contained health or personal information, such as names and Social Security numbers, of nearly 4,000 patients and employees. The computers used by their doctors held crucial patient information. two years ago, an individual managed to steal one of these computers and found that all patient information it held were unencrypted and hence got complete access to them.
Lack of encryption
Attorney General Martha Coakley’s office said doctors at Beth Israel Deaconess failed to follow policies to protect patient information. The hospital also failed to notify patients about the breach, as required by law, for several months, Coakley said. The breach laid bare information pertaining to the patients medical history as well as Social Security numbers. Total patients affected amounted to nearly 4,000. The main issue in the lawsuit was that the hospital saved all such information without even encrypting it.
Encryption is a process in which data is converted into a form unreadable and undecipherable by humans, usually done by implementing an algorithm. To read such data, a person needs to know the encryption algorithm- using which he can decode it. Encryption data can be broken by some efforts, but it needs someone who is very well versed with security. In this case, the hospital did not even bother to do that much, leaving the door open for even a lay man to steal critical information.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures. “After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Coakley reached settlements over similar data privacy violations with South Shore Hospital in Weymouth in 2012 and Women and Infants Hospital in Providence earlier this year. South Shore was fined $750,000, and Women and Infants had to pay $150,000