McLean Hospital to Pay $75,000 to Settle a HIPAA Violation


Massachusetts Attorney General Maura Healey issued to McLean Hospital a HIPAA violation fine amounting to $75,000 in relation to a data breach in 2015 that exposed about 1,500 patients’ protected health information (PHI).

McLean Hospital is a psychiatric hospital situated in Belmont, MA, which allowed an employee to bring home 8 backup tapes frequently. In May 2015, the employee got terminated from his job. As for the backup tapes, only four were returned to McLean Hospital. The backup tapes were unencrypted though they contained the PHI of around 1,500 patients, employees and Harvard Brain Tissue Resource Center’s dead donors.

The lacking backup tapes stores clinical and demographic information such as names, Social Security numbers, health diagnoses and family medical histories. Besides the PHI compromise, the state AG investigated McLean Hospital and discovered failures in

  • the training of employees
  • identifying, evaluating and planning for security hazards
  • promptly reporting the missing tapes
  • encrypting the data or utilizing a substitute measure to protect data in portable devices

Hospitals must take steps to protect the personal information of their patients. This violation penalty issued on McLean Hospital demands the inclusion of a new information security plans and employee training on the correct management of private information.

Backups of sensitive data should be created regularly to be certain that patients’ information are recoverable when a disaster strikes. In case physical copies of data have back-ups and employees take them home, appropriate security controls ought to be in place to prevent data access and to ensure that there is no PHI exposure when data loss or theft happens. Although PHI encryption in not required by the HIPAA, not doing so should have an alternate security measure implemented to provide a comparable level of protection to sensitive data.

In addition to the financial charges, McLean Hospital agreed to enhance its data security processes. A drafted data security plan will be implemented and monitored. New and current employees will have training regarding PHI privacy and security. The hospital will do an inventory of all portable devices containing ePHI. Encryption will be required on all ePHI in 60 days.

McLean furthermore agreed to a third-party audit to be conducted by Harvard Brain Tissue Resource Center to take a look at its management of portable devices containing personal and health information.

This HIPAA violation settlement is the second issued by Massachusetts in 2018. The first was issued to UMass Memorial Medical Group / UMass Memorial Medical Center in September where a $230,000 fine was involved.