Massachusetts firm agrees to pay fine for disposing patient information at a landfill.
According to the Massachusetts Attorney’s General Office, former owners of a Marblehead, Mass.-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public landfill.
In a statement, Massachusetts Attorney General Martha Coakley says the complaint, filed Jan. 7, 2013, alleges that Joseph and Louise Gagnon, doing business as Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown (Massachusetts) Transfer Station. The medical records contained information for more than 67,000 residents, including names, Social Security numbers and medical diagnoses, that was not redacted or destroyed when the records were dumped.
“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” Coakley says. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”
The matter came to the public’s attention in July 2010 when a Boston Globe photographer observed a large mound of paper that, upon closer inspection, he determined included medical records. His discovery was first reported in the Globe shortly thereafter.
The other defendants involved in this settlement are Dr. Kevin Dole, former president of Chestnut Pathology Services P.C.; Milford Pathology Associates P.C.; Milton Pathology Associates P.C.; and Pioneer Valley Pathology Associates P.C.
The Attorney General’s Office alleges that the pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.
Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 in civil penalties and attorney fees as well as to a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.