[BreachExchange] UMass Memorial health care entities to pay $230,000 over data breaches — 15,000 patients exposed

Destry Winant destry at riskbasedsecurity.com
Thu Sep 20 22:14:59 EDT 2018


http://www.telegram.com/news/20180920/umass-memorial-health-care-entities-to-pay-230000-over-data-breaches---15000-patients-exposed

WORCESTER — UMass Memorial Medical Center Inc. and UMass Memorial
Medical Group Inc. will pay $230,000 to the state after two former
employees in separate data breaches and for personal fraudulent
purposes exposed the personal and health information of more than
15,000 state residents, Attorney General Maura Healey announced
Thursday.

The two former employees in separate breaches accessed patients’
information — including names, addresses, Social Security numbers,
clinical information and health insurance information — for fraudulent
purposes, such as opening cell phone and credit card accounts, the AG
announced in a news release.

The two UMass Memorial entities allegedly knew about the employees’
misconduct, but failed to properly investigate complaints, the AG’s
office maintains in its complaint, filed last week along with a
consent judgment in Suffolk Superior Court.

In addition to the $230,000 penalty, UMass Memorial Medical Group,
Inc. and UMass Memorial Medical Center Inc. have agreed to conduct
employee background checks and ensure proper employee discipline;
train employees on the proper handling of patient information; limit
employee access to patient information; identify and remediate
potential data security issues; and promptly investigate suspected
improper access to patient information.

The entities will also have to hire an independent third-party company
to conduct a review of its data security policies and procedures. The
report will be forwarded to the AG’s office.

A UMass Memorial spokesman, in a statement distributed to media
outlets said, “UMass Memorial regrets that these incidents occurred.
In the four years since they took place we have taken steps aimed at
further strengthening our privacy and information security program.
This includes the implementation of additional technical tools that
safeguard patient information, and enhancement of our existing privacy
and information security procedures. We cooperated fully with the
attorney general’s office to reach the resolution announced today.”


More information about the BreachExchange mailing list