“The Gagnons’ failure to institute and implement reasonable data security measures to protect the confidentiality of protected health and personal information entrusted to Goldthwait, and instead allow an untrained third party to dispose of the documents at a dump, resulted in a serious violation of patient privacy and violations of state consumer protection and data security laws,” court documents said.
The dumped records contained names, Social Security numbers, names of medical procedures, dates of birth, marital status, phone numbers, health insurance information and diagnoses of patients, among other information, court documents allege.
The address listed online for Goldthwait Associates is 40 Lincoln Ave., Marblehead. The Gagnons also reside at the same address, according to court documents. A message left at the Gagnons’ home was not returned yesterday. The phone for Goldthwait is disconnected.
The other pathology group defendants in the case are Dr. Kevin Dole, former president of Chestnut Pathology Services P.C. of Boston; Milford Pathology Associates P.C.; Milton Pathology Associates P.C.; and Pioneer Valley Pathology Associates P.C.
The complaint alleges these pathology groups violated the federal 1996 Health Insurance Portability and Accountability Act regulations because they lacked safeguards to protect the “protected health information” of hospital patients they disclosed to the Gagnons. They also allegedly violated state data security regulations by not taking reasonable steps to ensure that the Gagnons could safeguard the information.
Goldthwait Associates was founded by the Gagnons in 1983 to do medical billing services for physicians and physicians groups, the complaint states. By the time they retired, the other defendants were their four remaining clients. Hospitals associated with the pathology groups provided patients’ medical records and billing information to these groups, and they in turn provided this information to the Gagnons.
Around June 1, 2010, the Gagnons sold Goldthwait.
Even after transferring the business, “the Gagnons continued to possess a basement full of documents containing PI (personal information) and PHI (protected health information), and it remained the Gagnons’ responsibility to properly dispose of these documents,” according to court documents. Instead of using a professional shredding or data disposal company, they allegedly asked their son to dispose of the records, “as he had done in the past.”
On July 26, some of the medical records were taken by a private citizen from the transfer station and given to law enforcement, the complaint says. The remaining records from that day were not recovered and are presumed destroyed. The Gagnons’ son had also disposed of medical records at the Georgetown transfer station in March 2007, January 2008, January 2009 and January 2010, court documents allege.