During the summer of 2010, while dumping his own garbage at the Georgetown Transfer Station, a Boston Globe photographer saw a large pile of paper which, after further inspection, turned out to be medical records of more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed. His discovery led to a Boston Globe article and the eventual investigation by Massachusetts Attorney General Martha Coakley. On January 7, 2013, Attorney General Coakley announced a $140,000 settlement with the individual and entities involved – one physician, three medical practices, and the medical billing vendor for these health care providers.

The health care providers and the billing company all were subject to the Massachusetts data security regulations, including the obligation to dispose of and destroy personal information in a secure manner. Massachusetts General Laws Chapter 93I. Of course, with regard to the health care providers, the Attorney General alleged they failed to take reasonable steps to select and retain a service provider (the medical billing company) that would maintain appropriate security measures to protect such confidential information. In addition, the providers and the medical billing company had obligations to safeguard the protected health information in the documents that were discarded under the HIPAA privacy and security regulations, as amended by the HITECH Act. As a result, the Attorney General could exercise her enforcement authority under state law, as would be expected, but also under HIPAA, pursuant to the authority granted under the HITECH Act.

This incident represents another reminder for companies (health care providers, in particular) to appropriately evaluate their vendors and service providers to ensure they will safeguard the personal information with which they have been entrusted.