Multiple Failures to Stop Two Thieving Workers Trigger $230,000 Settlement With Massachusetts

A 12-year employee of UMass Memorial Medical Center who was the subject of several investigations for improper access to patient records was finally placed on leave—paid leave—in 2014 after being caught opening a credit card in the name of a deceased patient. The patient’s widow complained to the physician, but it was apparently not passed on for more than six months, allowing the employee time to try and start more fraudulent accounts, including for cell phone service.

Also in 2014, an individual hired six years earlier by a UMass Memorial affiliated physicians group used a billing co-worker’s credentials to steal patient information, which was then offered to someone “as payment for a debt.” Other documents containing protected health information (PHI) that the employee apparently pilfered were later discovered in a backpack in the possession of law enforcement as part of an unrelated investigation.

The two wayward employees, who ultimately resigned, potentially breached the PHI of 15,000 individuals and led to a fine of $230,000 imposed by Massachusetts Attorney General (AG) Maura Healey. As announced on Sept. 20, the medical center and UMass Medical Group jointly agreed to the payment and to implement an extensive series of corrective actions, including hiring an external monitor, the costs of which likely outweigh the monetary penalty.

The complaint and settlement documents in the case, provided to RPP by Healey’s office, outline missteps by the organizations collectively referred to as UMass Memorial, but also demonstrate the value of informants in bringing issues to light—and the need to take them seriously. UMass Memorial did not admit wrongdoing but, in a statement to RPP, said it “regrets that these incidents occurred” and that it has beefed up its privacy and security efforts.

As if one were necessary, the settlement is yet another reminder that state attorneys general can, and will, use the authority granted them by the HITECH Act to pursue enforcement of HIPAA, as well as state laws (RPP 9/18, p. 1). Coincidentally, the case also comes on the heels of a nearly $1 million settlement involving three Massachusetts health care organizations unrelated to UMass Memorial’s agreement (see story, p. 1).

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field