Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud. The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.
The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws. More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws. It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.
“This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others,” said Massachusetts Attorney General Maura Healey in a press statement.
The settlement comes on the heels of a $2 million no-fault settlement in California that we recently covered in a previous blog post. The current uptick in state-level enforcement suggests an active commitment to health care security by the various attorneys general and encourages covered entities and business associates alike to address their vulnerabilities to avoid such high cost settlements.