Massachusetts Attorney General Martha Coakley announced this week that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump.
The complaint alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown, Mass. Transfer Station. The medical records contained information on more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.
“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” Coakley said in a press release. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”
Coakley’s office noted that the case came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the station and saw a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.
The other defendants involved in the settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; and Pioneer Valley Pathology Associates, P.C.
The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.
The Gagnons ran Goldthwait Associates, which primarily provided medical billing services for pathology groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.
Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the AG’s allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;