Hospital asked to pay $100,000 as penalty for security breachLack of encryptionOther Cases
Lack of encryption
Attorney General Martha Coakley’s office said doctors at Beth Israel Deaconess failed to follow policies to protect patient information. The hospital also failed to notify patients about the breach, as required by law, for several months, Coakley said. The breach laid bare information pertaining to the patients medical history as well as Social Security numbers. Total patients affected amounted to nearly 4,000. The main issue in the lawsuit was that the hospital saved all such information without even encrypting it. Encryption is a process in which data is converted into a form unreadable and undecipherable by humans, usually done by implementing an algorithm. To read such data, a person needs to know the encryption algorithm- using which he can decode it. Encryption data can be broken by some efforts, but it needs someone who is very well versed with security. In this case, the hospital did not even bother to do that much, leaving the door open for even a lay man to steal critical information. Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures. “After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Other Cases
Coakley reached settlements over similar data privacy violations with South Shore Hospital in Weymouth in 2012 and Women and Infants Hospital in Providence earlier this year. South Shore was fined $750,000, and Women and Infants had to pay $150,000