The Multi-State Billing Services (MBS) based in New Hampshire experienced a data breach that resulted to a financial settlement of $100,000 with Massachusetts attorney general’s office. MBS is the provider of Medicaid processing services for 13 public school districts in Massachusetts.
Allegedly, a password-protected, unencrypted laptop computer was stolen from an MBS employee in 2014. The laptop contained the personal information of over 2,600 children who were Medicaid recipients. Information such as names, Medicaid numbers, Social Security numbers and birth dates were exposed. In response to the data breach, MBS sent notification letters to all affected persons and offered them reimbursement for resulting security freezes in the three years following the data breach. MBS also tightened security of all portable computers, implementing the use of encryption for storing sensitive information.
When the Massachusetts attorney general’s office conducted an investigation, it was determined that MBS did not implement enough protective measures to avoid the data breach. State law requires companies to take reasonable steps to make sure that unauthorized individuals do not access or use sensitive personal information. If prior to the laptop theft MBS had the proper safeguard measures, the data breach could have been avoided.
In particular, MBS failed to use a secure information program and did not safeguard sensitive personal information stored in portable storage devices by encryption. There was also a lack of staff training with respect to proper protection of personal information.
Massachusetts attorney General Maura Healey required MBS to pay the fine and develop and implement a comprehensive information security program. Staff training on how to handle and safeguard personal information was also required. The consent judgment against MBS was necessary to ensure that the breach doesn’t happen again. It also emphasizes the importance of protecting sensitive information of children and any other individual.