Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

Encryption and Securing BYO Devices at the Heart of Massachusetts AG $100,000 Settlement

By  Rebecca L. Williams and Anna C. Watterson
11.25.14
Share
Print this page

The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop containing patient and employee information was stolen from BIDMC’s grounds.  Under the terms of the settlement, BIDMC agreed to pay a $100,000 fine and take additional measures to ensure compliance with state and federal data security requirements, including encrypting, physically securing and tracking all portable devices, and training employees on how to handle patients’ personal and protected health information (PHI).

In May 2012, a physician’s unencrypted personal laptop was stolen from an unlocked office at BIDMC. Although routinely used for hospital-related business with BIDMC’s knowledge and permission, the laptop was not encrypted or secured as required under BIDMC policy. As a result, the personal information/PHI of nearly 4,000 patients and employees was exposed due to the breach. The Attorney General’s Office later filed suit against BIDMC under Massachusetts consumer protection and data security laws and HIPAA, citing BIDMC’s failure both to adequately secure the laptop and to timely notify patients of the breach.

The data breach at BIDMC and the resulting settlement demonstrate the importance that covered entities must place on adequately securing portable devices that contain sensitive patient information, as well as carefully adhering to both state and federal data security and breach notification requirements.  Again, this settlement demonstrates the importance of encryption in avoiding a data breach.

The data breach also highlights one of the difficult problems with the “bring your own device” or “BYOD” trend, where employees and others use their personal computers, phones, tablets, and other portable devices in the workplace.  Entities that permit BYOD and grant employees access to sensitive information on their personal devices must impose requirements so that personal information and PHI on those devices are adequately protected.  Entities should know what devices contain personal information and PHI and should take steps necessary to verify that those devices adhere to the entity’s security requirements. Otherwise, an entity might find that allowing BYOD can be more trouble than it is worth.

Related Articles

DWT logo
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employee Login
DWT Connect
EEO
Affiliations
Legal notices
Privacy policy
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.