Archives: 201 CMR 17.00

If you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues.

A recent settlement released by the Massachusetts Attorney General calls attention to the fact that improper disposal of medical records and personal information can cost you.  The owners of a medical billing practice and four pathology groups, whose patient information was all improperly disposed, will collectively pay $140,000 to settle the claims.

In July 2010 a Boston Globe photographer discovered a knoll of medical records at the Georgetown Transfer Station.  Goldthwait Associates, a medical billing practice, tossed the records of more than 67,000 Massachusetts residents at the public dump when they closed shop in May 2010.  The records included names, Social Security numbers, health insurance information and medical diagnoses.

The AG alleged that the owners of Goldthwait Associates improperly disposed of medical records and in doing so violated the Massachusetts Consumer Protection Act, the Massachusetts Data and Disposal and Destruction Act, and the Massachusetts Security Breach Act (including 201 CMR 17.00).  The pathology groups were charged with “failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates” and not taking reasonable steps to retain a service provider that had appropriate security measures in place to protect personal information (PI) and protected health information (PHI).  The groups were alleged to be in violations of the Massachusetts Security Breach Act and HIPAA Privacy and Security Rules.

The complaint outlines steps that the groups did not take during their relationship with Goldthwait, which can serve as a to-do list when onboarding new vendors:

  1.  inquire about the vendor’s methods for ensuring adequate safeguards for protecting PI and PHI;
  2.  inquire about the vendor’s methods for disposing of PI and PHI;
  3.  inspect the vendor’s facilities;
  4.  request a copy of the vendor’s policies and procedures or contracts that detail the vendor’s method for disposing of PI and PHI;
  5.  verify that employees of the vendor who come into contact with PI or PHI are adequately trained regarding the appropriate methods for handling or disposing of such information.

The settlement agreement requires each pathology group to vet all business associates, ensuring they have a written information security plan and the practices described are sufficient to comply with the groups’ obligations to protect personal information and PHI.  The groups must also execute business associate agreements before disclosing any PI or PHI to service providers.  AG Coakley said, “Personal health information must be safeguarded as it passes from patients to doctors to medical billers and third-party contractors.”

Gagnon, the owner of Goldthwait Associates, told news sources that some of the groups were his clients for over 25 years, which may explain why they failed to have formal agreements in place.  This settlement underscores the importance of reviewing the practices of your vendors (even if your best friend owns the company) and signing agreements with them that cover the protection of PI and PHI.  If you handle PHI you should also take a look at the data security tips for health care organizations for helpful ways to update your data security practices.

Written by Amy Malone

Do you have a comprehensive information security program?  Many businesses are still operating without one, leaving them open to preventable data breaches.  The importance of info security programs was yet again underscored by the recent settlement between Cbr Systems and the Federal Trade Commission regarding a breach that affected 300,000 consumers.

Cbr Systems operates an umbilical cord blood registry that allows consumers to store newborn cord blood and cord tissue.  In December of 2010 an employee’s Cbr laptop was stolen along with four backup tapes, an external hard drive, a flash drive and other company materials.  The unencrypted backup tapes contained personal information including names, Social Security numbers, dates of birth, driver’s license numbers and credit and debit card numbers.  The company hardware was also unencrypted and contained log in and passwords with which an intruder could access the Cbr networks and potentially other personal information.

The FTC analyzed a host of practices used by Cbr and found that Cbr did not provide reasonable security for consumer’s information.  The practices the FTC looked at included Cbr’s failure to encrypt the information, keeping personal information when there is no longer a business need to do so and not adequately restricting employee access to information.  (Remember, in Massachusetts, this would have been a violation of 201 CMR 17.00).

The extent of this breach could have been limited if Cbr had implemented policies and procedures and trained its employees on and followed standard information security practices.  If you don’t have a comprehensive information security program or if it’s been a while since you reviewed your practices regarding data privacy and security, today is a good day to start.  If you need help please contact one of our privacy attorneys.

Can your organization answer “yes” to any of the following questions?

Does your organization have personal information (credit card numbers, checks, other financial information) from donors?

Does your organization have employees or volunteers for whom you have Social Security numbers?

Has your organization signed a merchant agreement to be able to accept credit cards?

Do you think that data privacy and security laws do not apply to you because you are a nonprofit? 

Mintz Levin’s Privacy and Security lawyers recently presented a webinar on this subject that might be useful to review the issues above — and more.

Links to the recording and presentation materials can be found here.

 

Written by Cynthia J. Larose and Adam Veness

 

Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents.  Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach.  As a result of that data breach, Massachusetts Attorney General Martha Coakley conducted an investigation into the acts and practices of MPI in protecting the personal information of its customers, as defined by G.L. c. 93H, § 1.  Based on her investigation, Coakley alleged that MPI violated G.L. c. 93H et seq., the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00 et seq., and the Massachusetts Consumer Protection Act (G.L. c. 93A, § 2) by (a) maintaining personal information on an unencrypted laptop, and (b) failing to follow its own Written Information Security Program, as required by 201 CMR 17.03.

To settle the investigation, MPI entered into an Assurance of Discontinuance with the AG on March 21, 2012.  Pursuant to the Assurance of Discontinuance, MPI has agreed to pay a civil penalty of $15,000, and has further agreed that it will:

  • ensure that personal information is not unnecessarily stored on portable devices, including laptops
  • ensure that all personal information stored on portable devices is properly encrypted;
  • ensure that all portable devices containing personal information are stored in a secure location;
  • effectively train employees on the policies and procedures with respect to maintaining the security of personal information; and
  • perform an audit of its compliance with its Written Information Security Program at least annually.

The Assurance of Discontinuance also requires that, for the years 2012 and 2013, MPI submit the results of its audit to the Attorney General’s office within 14 days of completion.  Given that the audit requirement says “on at least an annual basis,” it is conceivable that the Attorney General’s office could require MPI to conduct additional audits if the results are less than satisfactory.

Interestingly, this settlement has gone unreported by local media.  It is the third breach-related enforcement action by the Massachusetts Attorney General’s office.  In August 2011, the AG reached a settlement with Belmont Savings Bank for $7,500 and in March 2011, the AG reached a settlement with Briar Group, LLC for $110,000.   None of the settlements provide any guidance as to what kinds of reported breaches – or activity that relates to a breach – raise red flags at the Massachusetts AG’s office.    In all cases, however, the data was unencrypted in transit (Briar Group) and at rest (MPI and Belmont Savings).

Important Takeaway

If your business owns, stores, or licenses the personal information of Massachusetts residents, as of March 1, 2010, you must have a written information security program — and that program must be appropriately vetted, implemented with proper training of employees, and it must be revisited from time to time to ensure that it is still consistent with your operations.   Say what you do and make sure that you do what you say.

Contact a member of the Mintz Levin Privacy team for more information related to compliance with the Massachusetts data protection regulations, and for more information related to the legal requirements for when and how you must notify customers of a data security breach.   We’ve written extensively about compliance with the Massachusetts regulations, here.

 

For further information about the MPI settlement:

Attorney General Press Release

Maloney Properties, Inc. Letter to Affected Customers

 

Since it’s traditionally the time for new beginnings and resolutions to clear away old habits, we’d like to pass on some tips for improving privacy and security in your operations — and in your own life —  in 2012.

1.   Be sure to secure.

Many data breaches occur by leaving sensitive information lying around the office.  Keep documents containing sensitive data and personally identifiable information locked up.  A clean desk is a safe desk.  Also, make this the time to secure your home network.   Since many online banking and other types of activities occur across a home network, why allow drive-by hackers to compromise your information?

2.  Encrypt, Encrypt, Encrypt.

When transmitting sensitive information, make sure it is encrypted and transmitted over a secure connection.   This is not only a privacy and information security “best practice,” it is also required by several laws and industry body regulations, including the HITECH Act (for electronic protected health information), the Massachusetts data security regulations, and the Payment Card Industry Data Security Standards (for credit card information).

3.  If you don’t need it, don’t take it.

Data breaches often occur when a laptop or document files are stolen from an employee’s home, or lost while in transit.  If you don’t need to work with sensitive data outside the office, don’t take it with you.

4.   Once you have read it, shred it.

If you no longer need files or documents containing sensitive information, destroy them using proper methods.  Using a secure file deletion program or an “e-shredder” is an effective way to destroy electronic copies.  Again, this isn’t just “best practice” in many situations — it’s the law (e.g., FTC Disposal Rule, Mass. Gen. Law 93I, HIPAA Privacy Rule).

5.   Browse intelligently.

Make sure that your web browser’s security and privacy settings are set to an appropriate level.  When traveling, or using a personal computer, be sure to delete web or temporary file caches so your “e-footprints” don’t expose any sensitive information.

6.    Never engage with a spammer.

  While unsolicited commercial emails (“spam”) are annoying, do not e-mail or otherwise contact the spammer unless you use a valid “unsubscribe” link at the bottom of the email.   It only serves to confirm your email as “live” and may actually increase the amount of spam you receive. Don’t open email or attachments from anyone you do not know.   Remind employees of this at work to avoid your company’s information being compromised by phishing scams.

7.  Make your passwords complex.

The passwords you use for your email, online banking, network access, or any other services that contain your private information — or the confidential information of your company/employer — should not be simple or easily guessed.   The best passwords are a mix of numbers, characters and letters.   If your company does not have a password policy, 2012 is a good time to start.  And,  mix up your own passwords.   Utilization of the same password across all your electronic activities is an invitation to be hacked.

Here’s to a happy and SAFE 2012!!

 

Last week, we introduced the “Privacy Webinar Wednesday” educational series with Data Privacy and Security Issues for the Not-for-Profit:  201 CMR 17.00, PCI, and Other Acronyms You Should Know.  It was incredibly well-received – over 150 registrants.   We’ll be presenting various privacy and security issues on the first Wednesday of the month.

In case you missed it, the replay is available here.

The next Webinar Wednesday program in our series is scheduled for Wednesday, June 1Privacy and Security Under HIPAA/HITECH In an Age of Heightened Enforcement.   Registration information will be posted here when available.

 

Don’t forget to register for our first in the Webinar Wednesday Privacy series – Data Privacy and Security Issues for Non-Profits.  We have over 100 participants registered!  Join us and learn about compliance obligations of non-profit institutions and organizations and what to do to prepare for the inevitable data breach.   The second part of the session will feature an intensive look at the Payment Card Industry standards and why, if your organization or institution accepts credit cards — at all — you are required to comply.

Once again, we have evidence that failures to implement the most basic of data security measures can cost real money.

The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag.   Despite many headlines trumpeting the “first enforcement action,” this action was not brought by the AG’s office under the Massachusetts data security regulations. It was a consumer protection action brought by the Attorney General under the Massachusetts consumer protection law, 93A. 201 CMR 17.00 certainly played a part in the consent order and the Briar Group is required to implement a written information security plan, and supply a copy to the AG’s office within 14 days of the order.  The standards set out in 201 CMR 17.00 are the framework around which the settlement order is built, but the action was not one to enforce those regulations.   Those are coming.

A copy of the consent order is here –  Briar Signed Consent Judgment – 3-28-11 (3).pdf.

Much has been written and blogged over the last couple of days about the consent order.  But, what should business take away from this?   The retail and hospitality business is particularly vulnerable to data breaches due to the volumes of credit card information that they process every day.   But they are also responsible for dealing with that aspect of their business as a part of doing business.

More after the jump.

Continue Reading Into the Breach – Security Failures Can Cost You