Massachusetts General Hospital has agreed to settle with the U.S. Department of Health and Human Services over claims the hospital violated privacy regulations.

The hospital will pay out $1 million, stemming from the loss of patient records on a Red Line train two years ago. A hospital employee who had taken work home mislaid the papers. They were never found.

WBUR's Carey Goldberg, co-host of the CommonHealth blog, joined Morning Edition to explain the settlement.

Bob Oakes: How did these records get lost?

As far as we can tell from the legal documents, in March 2009 there was a billing manager at MGH who brought home some papers to work on them, which she wasn't supposed to do. And as she was on her way back to work on the Red Line, she apparently put the papers down on the seat next to her — they weren't in a folder or anything, they were just in a rubber band — and then when she got off the subway she left them there.

This privacy breach involved 192 records of patients at MGH's Infectious Disease Associates. How many patients are we actually talking about, and what kinds of conditions and diseases were they being treated for?

There are two sets of patients, the bigger set is 192, but the records did not have much detailed information in them, it was more like a schedule. But then there were 66 patients whose records were actually fairly detailed. It had their diagnoses, it had their doctors, it had possibly identifying numbers, such as Social Security numbers, and many — if not most of those patients — had HIV or AIDS — so you can understand that it was a particular issue that their privacy was breached.

I'm sure they're very concerned about whether that information is out in public.

Yes, as far as we know those records have never been found, there was never an attempt to use them for anything. But some of the patients were so concerned and upset that they actually have brought a class action lawsuit that's being brought by two Salem attorneys. And part of what concerned them so much is that, as they tell it, MGH took quite a long time to notify them that the records had been lost, about nine days, which they thought was too long.

So that lawsuit goes forward even though MGH has reached a settlement with the federal government?

Yes, the settlement with the federal government is more like a fine. It is never actually called a fine in the legal documents, it’s called a "settlement payment," but as far as I understand it when you pay money to the government it’s basically a penalty.

How did they come up with the $1 million figure?

It’s not clear from the legal documents, but I know that $1 million is considered extremely high for a privacy violation payment.

What has become of the MGH employee who left the files on the Red Line?

That remains a mystery and is not detailed in any of the documents that I can see.

So what happens now at MGH in terms of trying to make sure this doesn't happen again?

The major part of the settlement that MGH agreed to concerns a corrective action plan to revise its policies concerning patient protection. There will be new procedures about physical removal and transport of patient records, and also laptop and USB drive encryption.

I have to say, although it’s true that you could leave a laptop or a memory stick on a subway train, but I can’t think of a better argument for electronic medical records than the fact that patient papers can be left on a train.

Since these records were on paper do you think that this episode will accelerate the push for records going digital, at least at MGH?

I think MGH is already far ahead on that, and in fact Massachusetts is by far in the vanguard of moving toward electronic medical records, but I think a horror story like this must add an extra push.

More: