An out-of-state company recently got in hot water in Massachusetts for being too slow to figure out they had suffered a data security breach. Women & Infants Hospital of Rhode Island agreed to pay $150,000 for a security breach of more than 12,000 Massachusetts patients, as part of a July 23 consent agreement with the Massachusetts Attorney General (AG).

The breached information, considered a violation of both Massachusetts state law and federal healthcare privacy and security law (HIPAA), “included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images.”

In April 2012, the hospital “realized that it was missing 19 unencrypted back-up tapes” which were supposed to have been sent a year earlier to a central data center for the hospital’s parent company. “However, due to an inadequate inventory and tracking system,” the AG alleged that the hospital “did not discover the tapes were missing until the spring of 2012. Due to deficient employee training and internal policies, the breach was not properly reported under the breach notification statute to the AG’s Office and to consumers until the fall of 2012.”

MR compliance guidance
The AG settlement represents both an increased focus for state AGs in pursuing data security violations and an increased ability (and willingness) to prosecute HIPAA violations. Given that we saw the largest HIPAA settlement yet ($4.8 million) back in May, researchers should be wary.

So in addition to the need for survey, opinion and marketing researchers to comply with Massachusetts’ data security law and HIPAA, as well as all the other state data security laws (depending on where researchers and their respondents are located), this legal case also should serve as a reminder to the MR profession to properly involve employees in data security efforts, appropriately dispose of data you don’t need, review and/or audit data security practices and policies, and prepare potential responses to a data breach. After all, even the most insignificant of companies can suffer from, and be punished for, data security breaches.