The psychiatric hospital agreed to pay $75,000 in fines after it let an employee “regularly take home eight unencrypted backup tapes” with personal information. The tapes included names, Social Security numbers, diagnoses and family histories from the Harvard Brain Tissue Resource Center, which McLean Hospital oversees.
After the employee was terminated from the hospital in May 2015, she returned only four tapes, and the hospital did recover the rest, Ms. Healey’s office said.
A consent judgment, where all parties agree to a settlement to end a lawsuit, was filed and must be approved to be legally binding.
Ms. Healey’s office said McLean Hospital violated the Consumer Protection Law, the Massachusetts Data Security Law and the Health Insurance Portability and Accountability Act.
“Since this incident, McLean has continued to enhance its privacy and security practices and procedures within the brain bank and throughout the research operation,” a hospital spokesperson told the Herald.
The hospital agreed to implement employee training programs on handling personal and health information as part of the settlement.
More articles on cybersecurity:
Malware on BJC HealthCare website compromises 6,000 patients’ payment data
Ransomware hit 1 in 4 healthcare organizations this year, report finds
Vermont community hospital notifies 32,000 after data breach: 4 things to know
