Privacy & Cybersecurity Law Blog

On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.

The complaint against the medical practices alleged violations of the HIPAA Privacy Rule as well as the Massachusetts information security regulations that require reasonable and appropriate security measures to protect personal information.

In announcing the settlement, Attorney General Coakley noted that “it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.” This recent settlement follows a similar $750,000 settlement in May 2012 stemming from a breach of medical records in Massachusetts.