St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s . Those documents contained the ePHI of at least 498 patients.
The federal agency notified the hospital, which is part of Steward Health Care, of the complaint and its investigation in February 2013. The hospital then self-reported a different data breach to OCR in August 2014. At that time, St. Elizabeth’s revealed unsecured ePHI of 595 patients was found stored on a former employee’s personal laptop and USB flash drive.
A second investigation was launched into the hospital’s compliance with HIPAA rules in November 2014, and ultimately, the results of those two probes found St. Elizabeth’s essentially neglected to take action once it learned of the breaches.