Understanding of Global Data Privacy Regulations Helps Avoid Conflicts in Cross-Border Discovery Disputes

InsideCounsel recently published, "E-discovery: The need for a transnational approach to cross-border discovery disputes," an article on international discovery issues and the benefit of a respectful approach to document productions outside of the U.S.  Written by Reed Smith Records & E-Discovery Group members David R. Cohen, Regis W. Stafford, Jr. and Caitlin R. Gifford, the piece notes that proposed EU Data Protection Directive regulations have the potential to subject multinational companies to sanctions of up to two percent of annual worldwide revenue for serious breaches, including unlawful data transfers to the U.S.  In addition, although not binding on U.S. courts, the ABA recently issued a resolution and recommendation that states in part that U.S. courts should “consider and respect the data protection and privacy laws of any foreign sovereign..."  This article underscores the importance of a comprehensive global approach to document production in cross-border litigation.

To be invited to future Reed Smith trainings on cross-border e-Discovery issues, please click here.

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.