On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that her office has entered into a settlement agreement with South Shore Hospital over allegations that it sent hundreds of unencrypted back-up computer tapes containing the personal information of more than 800,000 consumers offsite to be erased without appropriate safeguards. The settlement agreement settles a lawsuit the AG filed against the hospital based on allegations that only one of three boxes of the back-up tapes arrived at its destination and that the hospital also failed to inform its vendor that personal and protected information was on the back-up tapes.
The AG’s lawsuit brought claims under both the Massachusetts Consumer Protection Act and HIPAA/HITECH. It alleges that the hospital failed to, inter alia, implement appropriate safeguards, policies, and procedures to protect consumers’ information.
Under the terms of the consent judgment, in addition to paying a total of $750,000 in penalties and other payments, the hospital agreed to undergo an audit of its security measures and will take a variety of measures to ensure compliance with both federal and state data security regulations and laws, including with regard to its contracts with third-parties engaged for the purposes of data destruction.
AG Coakley’s action against South Shore Hospital serves as an important reminder to business that AGs can and will bring actions to enforce both state and federal law as a result of data breaches. As we noted last week, States are likely to continue to look at business practices affecting data privacy, especially in light of the fact that this will be the focus of Maryland AG Gansler’s Presidential Initiative for 2012-13.
This settlement also illustrates the importance for businesses to not only implement safeguards to protect consumer data stored in-house from data breaches, but also to take appropriate steps to ensure that any data transferred out of the business—either for archiving or destruction—be appropriately encrypted and protected so that the data cannot be accessed by other parties. Businesses should evaluate their contracts with third-party vendors handling consumer data to ensure that appropriate measures are in place to maintain the confidentiality of the consumer data. A single mistake in shipping unencrypted consumer data can result in hefty penalties.