Women and Infants Hospital of Rhode Island (WIH) agreed to pay $150,000 in a settlement with the Massachusetts attorney general's office on Wednesday following a massive data breach that included the loss of personal information of nearly 12,000 Massachusetts-based patients.
The case began in April 2012 when the hospital realized it was missing 19 unencrypted backup tapes from two of its prenatal centers (one in Rhode Island and the other in New Bedford, Mass.). According to the Associated Press, the tapes contained ultrasound images, patient names, and, in some cases, social security numbers.
"Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities,” Attorney General Martha Coakley said in a statement. "This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again."
The attorney general explained that the tapes were meant to be transported off-site to be transferred into a new database in 2011, but due to poor inventory and tracking, were discovered missing nearly six months later. The hospital, as part of the settlement, will pay a civil penalty of $110,000, lawyers' fees, and a sum that will go toward further education of healthcare providers in the state on the importance of securing and properly maintaining patient data.
"WIH has agreed to take steps to ensure future compliance with state and federal data security laws and regulations, including maintaining an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media and paper patient charts containing personal information and protected health information," the attorney general's statement read. "The hospital also agreed to perform a review and audit of security measures and to take any corrective measures recommended in the review."