Hospital pays $750K to settle data breach of missing tapes

South Shore Hospital agreed to pay three-quarters of a million dollars to settle claims that the Massachusetts hospital violated state and federal law by allegedly failing to protect the health information of more than 800,000 individuals, the Massachusetts attorney general's office announced yesterday.

South Shore Hospital allegedly failed to protect confidential information, including individuals' names, Social Security numbers, financial account numbers and medical diagnoses.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes so that contractor Archive Data Solutions could erase and resell the tapes. However, the hospital failed to inform Archive Data that the tapes had personal, protected information on them and didn't take steps to determine whether the vendor had sufficient safeguards in place to protect the sensitive information.

Multiple companies handled the boxes during shipping, and only one box arrived at its destination in June 2010. The other two boxes have not been recovered, although there are no reports of unauthorized use of the information.

"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form," Attorney General Martha Coakley said in the statement. "It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach."

The hospital has since taken steps to comply with data security laws, including requirements in business contracts and third-party services for data destruction.

"[W]e've actually put in a great deal of new measures to protect personal information," South Shore spokeswoman Sarah Darcy told The Boston Globe. "Everything, everything, is encrypted now."

For more information:
- read the statement
- here's the Globe article

Related Articles:
Massachusetts health data breaches have impacted more than 980K people
Patient data for 7,000 compromised in Arkansas
Emory Healthcare loses records for 315k patients, including CEO's