UMass Memorial Health Care in Worcester, Mass., agreed to pay a $230,000 settlement to resolve claims that two separate data breaches exposed the personal and health information of more than 15,000 patients.
A complaint filed one week before the settlement was announced claimed that two former UMass Memorial employees improperly accessed patients' personal and protected health information for fraudulent purposes. Patients' names, addresses, Social Security numbers, clinical data and health insurance information had been exposed.
The state Attorney General's Office claimed the hospital violated HIPAA, as well as the Consumer Protection Act and the Massachusetts Data Security Law, when it allegedly failed to adequately protect patient data. Specifically, the complaint alleges the hospital was aware of its employees' misconduct, but that it didn't investigate the incidents or take action against the employees involved.
"Massachusetts residents rely on their healthcare providers to keep private health information safe and secure," Attorney General Maura Healey said in a news release. "This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again."