Take Extra Care When Disposing of Medical Records

That’s the lesson that four pathology groups and the former owners of a medical billing practice in Massachusetts learned the hard way. They have agreed to collectively pay $140,000 to settle allegations that sensitive medical records and confidential billing information for tens of thousands of patients were improperly disposed of at a public dump. The settlement was announced Jan. 7 by Martha Coakley, the state’s attorney general (AG). In a statement, she said, “Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors. It is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.” The data breach came to light in July 2010 when a Boston Globe photographer, dropping off his trash at a public dump, observed a large mound of papers which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter. The medical records contained information for more than 67,000 state residents, including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed, the AG said. The pathology defendants in the settlement are Dr. Kevin Dole, former president of Chestnut Pathology Services, P.C. (Boston); Milford Pathology Associates, P.C. (Milford); Milton Pathology Associates, P.C. (Milton); and Pioneer Valley Pathology Associates, P.C. (Holyoke). The AG faulted them for two reasons:

• Violating regulations under the Health Insurance Portability and Accountability Act by failing to have appropriate safeguards to protect the personal information they provided to the billing contractor, Goldthwait Associates (located in Marblehead and formerly owned by Joseph and Louise Gagnon, who retired in 2010).

• Violating state data security rules by not taking reasonable steps to select and retain a service provider with appropriate security measures to protect confidential information.

In May 2012 the AG reached a $750,000 settlement with South Shore Hospital (South Weymouth), resolving allegations that it failed to protect the confidential health information of more than 800,000 patients when it sent unencrypted computer tapes off-site to be erased but did not inform the contractor about the data exposure.