HIPAA Case Settled for $140K

HIPAA Case Settled for $140K

This case is a good example of what can happen when your practice does not adequately protect your patients' PHI. A seemingly simple mistake can turn into a very large fine.

Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today.

The complaint, filed in Suffolk Superior Court along with consent judgments that were approved today, alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.

"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors," AG Coakley said. "We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again."

This matter came to the public's attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.

The other defendants involved in this settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.

The AG's Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.

According to the complaint, the Gagnons ran Goldthwait Associates, which primarily provided medical billing services for pathology groups, and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnon's retired from Goldthwait Associates and the medical billing business in 2010.

Each of the four pathology groups and the Gagnons agreed to the entry of consent judgments to resolve the AG's allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The AG's Office is focused on ensuring that health care practices and their business associates abide by the state and federal data privacy requirements. Recent efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients.