That's going to require a revamp of compliance and records-security procedures, or at least to document what the IT crew is already doing.
Just that, not to mention training hundreds or thousands of employees in new procedures, may very well cost MGH a lot more than the $1 million it has to pay in fines – not to mention the cost of any potential litigation or settlement with patients whose records were lost.
A lot of the implementation cost is going to fall on IT, even though it had nothing to do with the security breach, and may never have any ability to control what employees do with paper records.
Neither the fine nor the cost of follow-up is going to sink MGH or its giant parent company Partners HealthCare System, Inc.
It should scare a lot of other organizations, though – whether they're in the healthcare business or not.
There are plenty of regulations to threaten anyone not paying enough attention, though surveys show compliance is eating up so much of security budgets it often doesn't leave enough for proper security.
Pick your favorite: HIPAA, Sarbanes-Oxley, Gramm-Leach Bliley, FDA 21 digital records and signatures rules, the Fair and Accurate Credit Transactions Act, the Foreign Corrupt Practices Act, import/export rules, the Multiple-Deliverable Revenue Arrangements accounting rules...
No matter which keep you up at night, or how well you have them covered, digitally at least, every one of them can come back to bite you in the form of even one employee dedicated and hardworking enough to take records home, and just as forgetful as all of us are during the morning commute back in.
$1 million is a lot to pay for someone else's grogginess during the morning commute, especially if the repercussions will hit you, even though there's currently nothing you can do to make sure sensitive paper doesn't go missing in the subway.