Massachusetts Continues Aggressive Information Security Enforcement Agenda

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes.  The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were not encrypted.  As a result of the consent judgment, WIH will pay a civil penalty of $110,000, attorney fees of $25,000, and contribute $15,000 to funds organized by the Attorney General to support data security enforcement actions and education on the protection of sensitive personal information. The Attorney General asserted that WIH failed to discover the breach in a reasonably timely fashion.  The backup tapes were allegedly transferred off-site during the summer of 2011 but their loss was not noticed until April 2012 and public notice was provided in November 2012.  The Attorney General claimed that the delay in detecting the loss resulted from inadequate inventory and tracking of sensitive personal information.  In addition, the Attorney General asserts that notification to consumers was delayed because of “deficient employee training and internal policies”.

The WIH consent judgment follows the recent pattern of litigation to implement the Massachusetts data security regulations, 201 C.M.R. 17.00, and the HITECH Act provisions empowering state attorneys general to enforce HIPAA.  This is consistent with the consent judgments entered into with Goldthwaite Associates in 2013 and South Shore Hospital in 2012.

Several important lessons may be learned from this recent sequence of enforcement actions.

• The Massachusetts Attorney General will pursue actions under the Massachusetts data security regulations against out-of-state enterprises that handle the personal information of Massachusetts residents.  Prior enforcement actions have focused upon Massachusetts-based businesses.  Going forward, out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts should evaluate their data protection practices in order to avoid running afoul of the Massachusetts data security regulations.
• The U.S. Department of Health and Human Services (“HHS”) is cooperating with state attorneys general that wish to pursue compliance enforcement actions under HIPAA.  Accordingly, HIPAA covered entities and business associates across the country should note that the states may become a bigger factor in HIPAA enforcement in the future.
• Businesses should maintain appropriate procedures to inventory and track the sensitive personal information that they collect and use.  Accurate data inventory can help businesses better identify their security risks and detect anomalous events in a timely fashion.
• Businesses should also take steps to maintain comprehensive procedures for investigating and responding to data breaches.  Such procedures help businesses avoid the kinds of delays in public notification that may elevate the concerns of federal and state regulators.
• While encryption is not a panacea for privacy and security issues, there are several circumstances where it can substantially reduce legal risks.  The inability to implement physical and other reliable access safeguards makes encryption particularly valuable for protecting electronic media transported outside company facilities.