Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud. The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.
The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws. More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws. It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.
“This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others,” said Massachusetts Attorney General Maura Healey in a press statement.
The settlement comes on the heels of a $2 million no-fault settlement in California that we recently covered in a previous blog post. The current uptick in state-level enforcement suggests an active commitment to health care security by the various attorneys general and encourages covered entities and business associates alike to address their vulnerabilities to avoid such high cost settlements.
If you have any questions about this settlement or health care security and privacy in general, please contact any member of Drinker Biddle’s Health Care Team.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.