GEORGETOWN — Joseph and Louise Gagnon of Marblehead took the cheap and quick way out and had multiple years’ worth of sensitive medical records chucked into a Georgetown trash dump, court documents allege.
The effort to save money, according to a settlement announced by Attorney General Martha Coakley on Monday, has led to a large fine for a data breach that put sensitive patient information at risk.
The husband and wife, who were doing business in Marblehead as Goldthwait Associates, along with four pathology groups for which they were handling the billing, agreed to pay $140,000 collectively to settle allegations that the private billing and medical records of 67,000 Bay State patients wound up in the Georgetown transfer station.
The civil complaint, filed in Suffolk Superior Court along with consent judgments approved Monday, alleges that the Gagnons violated state laws meant to protect such information.
“We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again,” Coakley said in a statement.
The Gagnons and the other defendants did not make any admission of liability, according to court documents.
The Gagnons were fined a total of $30,000: $15,000 in civil penalties, $5,000 in attorney’s fees and $10,000 for a fund set up to promote programs to protect patient or consumer data. Based on a review of the Gagnons’ financial records, $25,000 was suspended, contingent on the Gagnons’ compliance with the settlement, court documents show. They were ordered to pay $5,000 in civil penalties.
According to court documents, the discovery of the patient data dump was connected to the Gagnons’ retiring from the medical billing business in May 2010.
“In an effort to dispose of multiple years’ worth of personal health information as cheaply and as quickly as possible, they hired their son, Joseph Gagnon Jr., to dump the documents at the Georgetown Transfer Station in July 2010,” according to the complaint. The information contained “sensitive health and other personally identifiable information” in plain view of others tossing trash.
“The Gagnons’ failure to institute and implement reasonable data security measures to protect the confidentiality of protected health and personal information entrusted to Goldthwait, and instead allow an untrained third party to dispose of the documents at a dump, resulted in a serious violation of patient privacy and violations of state consumer protection and data security laws,” court documents said.
The dumped records contained names, Social Security numbers, names of medical procedures, dates of birth, marital status, phone numbers, health insurance information and diagnoses of patients, among other information, court documents allege.
The address listed online for Goldthwait Associates is 40 Lincoln Ave., Marblehead. The Gagnons also reside at the same address, according to court documents. A message left at the Gagnons’ home was not returned yesterday. The phone for Goldthwait is disconnected.
The other pathology group defendants in the case are Dr. Kevin Dole, former president of Chestnut Pathology Services P.C. of Boston; Milford Pathology Associates P.C.; Milton Pathology Associates P.C.; and Pioneer Valley Pathology Associates P.C.
The complaint alleges these pathology groups violated the federal 1996 Health Insurance Portability and Accountability Act regulations because they lacked safeguards to protect the “protected health information” of hospital patients they disclosed to the Gagnons. They also allegedly violated state data security regulations by not taking reasonable steps to ensure that the Gagnons could safeguard the information.
Goldthwait Associates was founded by the Gagnons in 1983 to do medical billing services for physicians and physicians groups, the complaint states. By the time they retired, the other defendants were their four remaining clients. Hospitals associated with the pathology groups provided patients’ medical records and billing information to these groups, and they in turn provided this information to the Gagnons.
Around June 1, 2010, the Gagnons sold Goldthwait.
Even after transferring the business, “the Gagnons continued to possess a basement full of documents containing PI (personal information) and PHI (protected health information), and it remained the Gagnons’ responsibility to properly dispose of these documents,” according to court documents. Instead of using a professional shredding or data disposal company, they allegedly asked their son to dispose of the records, “as he had done in the past.”
On July 26, some of the medical records were taken by a private citizen from the transfer station and given to law enforcement, the complaint says. The remaining records from that day were not recovered and are presumed destroyed. The Gagnons’ son had also disposed of medical records at the Georgetown transfer station in March 2007, January 2008, January 2009 and January 2010, court documents allege.