HHS Settlement Follows Enforcement Fine

Posted on February 27, 2011 by Jason C. Gavejian

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

Tags: , , , , , , , , , , , , , , , , , , , , ,

Florida AG Settles Data Breach under "Deceptive and Unfair Trade Practices" Authority

Posted on April 19, 2010 by Joseph Lazzarotti

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

Tags: , , , , , , ,