Health Care Provider Settles Over Breach that Exposed Thousands of Records

(TNS) — UMass Memorial Health Care entities will pay $230,000 to resolve a lawsuit filed by Massachusetts Attorney General Maura Healey after two separate data breaches exposed personal and health information of more than 15,000 residents.

Investigations by Healey's office revealed that the breaches exposed information including names, addresses, social security numbers, clinical information and health insurance information, Healey's office announced Thursday.

Two former employees UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. -- entities of UMass Memorial Health Care -- improperly accessed patients' personal and protected health information for fraudulent purposes, including opening cell phone and credit card accounts, Healey's office said in a statement.

A complaint by Healey, as well as a consent judgment in Suffolk Superior Court, were filed last week. Healey's office alleges the UMass Memorial entities violated the Consumer Protection Act, the Massachusetts Data Security Law, and the Health Insurance Portability and Accountability Act when they failed to properly protect patients' information.

UMass Memorial allegedly knew of employee's misconduct but failed to properly investigate complaints related to the data breaches. The healthcare system also failed to discipline the employees in a timely manner or take other steps to safeguard information, the statement said.

UMass Memorial Health Care said it would provide a statement regarding the settlement, but that statement was not immediately available.

"Massachusetts residents rely on their health care providers to keep private health information safe and secure," Healey said. "This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again."

As a part of the settlement, the UMass Memorial entities have agreed to conduct employee background checks and ensure proper employee discipline; train employees on the proper handling of patient information; limit employee access to patient information; identify and remediate potential data security issues; and promptly investigate suspected improper access to patient information, the statement said.

The entities will also be required to hire an independent third-party firm to perform a review of its data security policies and procedures, which the system will report to Healey's office.

©2018 MassLive.com, Springfield, Mass. Distributed by Tribune Content Agency, LLC.