Multi-State Billing Services (MBS) has reached a $100,000 settlement with the Massachusetts Attorney General’s office following a data breach which occurred in 2014. The data of 2,600 children was compromised as a result of the breach.
MBS is a New Hampshire-based Medicaid billing company that provides processing services for 13 public school districts in Massachusetts – Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.
In 2014, MBS experience the theft of a password-protected, unencrypted laptop computer from a company employee. The laptop contained the sensitive personal information of Medicaid recipients. Names, Social Security numbers, Medicaid numbers, and birth dates of Medicaid recipients living in Massachusetts were all stored on the device. As a result of the laptop theft, more than 2,600 children had their sensitive information exposed.
In accordance with HIPAA’s Breach Notification Rule, MBS notified all affected individuals following the breach. The company offered to reimburse costs related to security freezes for three years following the breach. MBS also updated its security system to prevent such a data breach from happening again. This included ensuring that encryption was used on all portable computers which stored the sensitive information of Medicaid recipients.
Due to the size and nature of the breach, the incident was investigated by the Massachusetts Attorney General’s office. The investigators determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” A breach of sensitive information could have been avoided had such safeguards been implemented earlier.
The Attorney General’s office made a point of indicating that MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.
A consent judgement against MBS was obtained by Massachusetts Attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.
Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”