RI Hospital to Pay Mass. $150K After Data Breach

Women & Infants Hospital of Rhode Island agreed to pay Massachusetts $150,000 after a data breach compromised the personal information of over 12,000 Bay State patients.

Massachusetts Attorney General Martha Coakley announced the settlement Wednesday.

The breach happened in November 2012 and involved patients' names, Social Security numbers, and ultrasound images, among other information.

"Personal information and protected health information must be properly safeguarded by hospitals and other healthcare entities," Coakley said in a statement. "This data breach put thousands of Massachusetts consumers at risk, and it is the hospital’s responsibility to ensure that this type of event does not happen again."

Coakley said in April 2012, the hospital realized it was missing 19 unencrypted tapes from two of its prenatal diagnostic centers, one in Providence and another in New Bedford.  The tapes contained information of 12,127 Massachusetts residents.

"In the summer of 2011, these back-up tapes were supposed to be sent to a central data center at WIH’s parent company, Care New England Health System and then shipped off-site in order to transfer legacy radiology information to a new picture archiving and communications system," Coakley said. "However, due to an inadequate inventory and tracking system, WIH allegedly did not discover the tapes were missing until the spring of 2012. Due to deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012."

The hospital agreed to pay a $110,000 civil penalty, $25,000 for attorney’s fees, and $15,000 to a fund to promote education concerning the protection of personal information and for future data security litigation.

The hospital also agreed to take steps to prevent a future data breach.