Boston Children's Hospital agrees to pay $40K, bolster security in patient data breach case
Boston Children's Hospital has agreed to pay $40,000 and bolster its patient data security following a data breach that compromised the personal information of more than 2,100 patients, the state attorney general's office announced Friday.
The judgment, entered in Suffolk Superior Court, alleges the hospital failed to protect the health information of the patients, about 1,700 of whom were children.
The data — including names, birthdates, diagnoses and surgery dates — was on a hospital-issued unencrypted laptop stolen from a doctor on official business in Argentina in May 2012. The information had been sent in an email from a colleague.
Under the terms of the consent judgment, the hospital will pay a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for educational programs concerning protected health information.
"Today's settlement will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again," Attorney General Martha Coakley said.
The hospital said it has already toughened security protocols.
"After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that Boston Children's security policies and technologies are state-of-the-art," the hospital said in a statement. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted."