Medical practice agrees to pay $140,000 to Massachusetts Attorney General for privacy breach

January 15, 2013 |

The former owner of a medical billing practice and fourt pathology groups have agreed to  a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendantswere accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public.

The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals.  The complaint against the medical practices alleged violations of the HIPAA Privacy Rule as well as the Massachusetts information security regulations that require reasonable and appropriate security measures to protect personal information.

The Attorney General’s press release is found here and relevantly provides:

Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today.

The complaint, filed in Suffolk Superior Court along with consent judgments that were approved today, alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped. 

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” AG Coakley said. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”

This matter came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.

The other defendants involved in this settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.

The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.

According to the complaint, the Gagnons ran Goldthwait Associates – which primarily provided medical billing services for pathology groups – and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.

Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the AG’s allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts. 

The AG’s Office is focused on ensuring that health care practices and their business associates abide by the state and federal data privacy requirements. Recent efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients. 

AG Coakley is also leading an educational effort in the area of data privacy. A first-of-its-kind data privacy training – sponsored jointly by the AG’s Office and the Massachusetts Medical Society – was held in October 2012 and focused on health care entities, including speakers from state and federal government and the private sector. A second training is being held this Thursday in cooperation with the Massachusetts Hospital Association.

This matter is being handled by Assistant Attorneys General Wendoly Ortiz Langlois of the Health Care Division and Shannon Choy-Seymour of the Consumer Protection Division.

The size of the settlement provides an interesting touchstone and comparator on what awards the Privacy Commissioner may seek with his enhanced powers to bring enforcement proceedings in the Federal Court when the amendmets to the Privacy Act come into effect in 2014.  The Commissioner has been decidedly light touch, and forgiving, in dealing with release of private information by organisations that store data.  That is particularly the case compared to the approach taken by the EU, UK  and US regulators, the latter of which are not famous for being stringent.

Leave a Reply