Recently, the Massachusetts Attorney General announced that Women & Infants Hospital of Rhode Island (the “Hospital”) agreed to pay $150,000 to settle data breach allegations. In April 2012, the Hospital discovered that it was missing 19 unencrypted back-up tapes from its locations in Providence, Rhode Island and New Bedford, Massachusetts. The tapes contained the personal information and protected health information of more than 12,000 Massachusetts patients, including names, dates of birth, Social Security numbers, dates of exams, physicians’ names, and ultrasound images. A copy of the Massachusetts Attorney General’s press release concerning the settlement can be found here.
According to the Attorney General’s office, the Hospital allegedly did not notify patients of the breach until the fall of 2012. Under the terms of the settlement, the Hospital agreed to pay a civil penalty, attorneys’ fees and costs, and a payment of $15,000 that the Attorney General’s office will use to promote data security education and finance future data security litigation. Under the terms of the settlement, the Hospital also agreed to take measures to ensure future compliance with state and federal data security laws.
Enforcement actions such as the Attorney General’s action against the Hospital may be brought pursuant to Mass. Gen. Laws c. 93H, §2, which applies to “any person that owns or licenses personal information about a resident” of Massachusetts. Chapter 93H requires the promulgation of regulations designed to safeguard the personal information of Massachusetts residents. Under M.G.L.c. 93H, §6, the Attorney General is authorized to bring an action to enforce Chapter 93H under the Massachusetts Consumer Protection Act, M.G.L. c. 93A. In this case, the Massachusetts Attorney General’s jurisdiction likely extended to the Hospital because the alleged data breach involved patients in Massachusetts. In addition, some of the lost data originated from one of the hospital’s locations in Massachusetts.
Whether insurance coverage exists for settlement payments such as the one made by the Hospital depends largely on the type of policy held by the allegedly breaching party, and on the policy language contained therein. Due to the rapidly rising number of claims against healthcare organizations related to alleged breaches of protected health information, many such organizations are electing to purchase supplemental privacy endorsements or specialty privacy liability policies that are designed to provide coverage for various costs incurred in connection with breaches of protected health information. Under traditional types of policies sold to healthcare organizations, such as Healthcare Professional Liability (“E&O”) policies and Not-for-Profit Directors & Officers (“D&O”) policies, defined policy terms such as “claim,” “damages,” “loss,” “wrongful act” and “professional services” may result in an absence of coverage for breaches of protected health information. Policy exclusions in traditional E&O and D&O policies for privacy/data breach events may also operate to preclude coverage for such claims. For a more detailed discussion of the extent to which traditional E&O and D&O policies afford coverage for breaches of protected health information, see “Insurability of HIPAA Claims Arising From Health Information Data Breaches Under Traditional E&O and D&O Policies,” 2014 PLUS Journal Volume XXVII, Number 7, available here.