Encryption and Securing BYO Devices at the Heart of Massachusetts AG $100,000 Settlement

The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop containing patient and employee information was stolen from BIDMC’s grounds.  Under the terms of the settlement, BIDMC agreed to pay a $100,000 fine and take additional measures to ensure compliance with state and federal data security requirements, including encrypting, physically securing and tracking all portable devices, and training employees on how to handle patients’ personal and protected health information (PHI).

In May 2012, a physician’s unencrypted personal laptop was stolen from an unlocked office at BIDMC. Although routinely used for hospital-related business with BIDMC’s knowledge and permission, the laptop was not encrypted or secured as required under BIDMC policy. As a result, the personal information/PHI of nearly 4,000 patients and employees was exposed due to the breach. The Attorney General’s Office later filed suit against BIDMC under Massachusetts consumer protection and data security laws and HIPAA, citing BIDMC’s failure both to adequately secure the laptop and to timely notify patients of the breach.

The data breach at BIDMC and the resulting settlement demonstrate the importance that covered entities must place on adequately securing portable devices that contain sensitive patient information, as well as carefully adhering to both state and federal data security and breach notification requirements.  Again, this settlement demonstrates the importance of encryption in avoiding a data breach.

The data breach also highlights one of the difficult problems with the “bring your own device” or “BYOD” trend, where employees and others use their personal computers, phones, tablets, and other portable devices in the workplace.  Entities that permit BYOD and grant employees access to sensitive information on their personal devices must impose requirements so that personal information and PHI on those devices are adequately protected.  Entities should know what devices contain personal information and PHI and should take steps necessary to verify that those devices adhere to the entity’s security requirements. Otherwise, an entity might find that allowing BYOD can be more trouble than it is worth.