UMass Memorial reaches $230,000 settlement with the state of Massachusetts

UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Inc. reached a $230,000 settlement with the state of Massachusetts in response to two data breaches that exposed the personal health information (PHI) of more than 15,000 Massachusetts residents, according to a press release from the Massachusetts Attorney General (AG).

The complaint, filed by the AG in September 2018, alleges that two UMass Memorial employees separately used patient PHI to open mobile phone and credit card accounts. The lawsuit also alleges that UMass Memorial knew about the employees’ actions and did not properly investigate the complaints, discipline the employees, or take steps to protect the exposed information. The AG’s office alleges the UMass Memorial entities violated the Consumer Protection Act, the Massachusetts Data Security Law, and HIPAA.

The AG’s investigation found that the exposed PHI included:

• Addresses
• Clinical information
• Health insurance information
• Names
• Social Security numbers

The settlement also includes an agreement that UMass Memorial will conduct employee background checks, train employees on proper handling of PHI, limit employee access to PHI, and promptly investigate suspected improper access. UMass Memorial is also required to hire an independent firm to conduct a review of its data security policies and procedures.