UMass fined $230,000 for data breaches

Photo/Grant Welker UMass Memorial Medical Center in Worcester. The network says it has taken steps to increase security after a security breach.

Write a Comment

UMass Memorial Medical Group and flagship hospital UMass Memorial Medical Center will pay the state $230,000 after complaints of two data breaches exposing personal and health records of more than 15,000 patients.

Attorney General Maura Healey’s office in a complaint last week said two former employees of the hospital in separate breaches improperly accessed patients’ personal and health information for fraudulent purposes, including opening cell phone accounts and new credit cards.

The breaches exposed information including names, addresses, social security numbers, clinical information and health insurance information.

Per the settlement, the health care group and hospital have agreed to conduct employee background checks and ensure proper employee discipline, train employees on handling patient information, limit employee access to patient information, fix any potential data security issues and investigate suspected improper access to information.

UMass Memorial is also required to hire an independent third-party firm to review the organization’s data security operation. The results of the study will be shared with Healey’s office.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” Healey said. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

UMass issued a statement in regards to the complaint.

"UMass Memorial regrets that these incidents occurred. In the four years since they took place we have taken steps aimed at further strengthening our privacy and information security program," the hospital said.

"This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures. We cooperated fully with the attorney general’s office to reach the resolution announced today."