Expert weighs in on data loss at South Shore Hospital

Mac McMillan, CEO of CynergisTek

A breakdown in data destruction protocols could help explain why back-up files containing information on 800,000 individuals were lost from a Mass. hospital after a data management company was hired to destroy them.

This is according to healthcare IT security expert, Mac McMillan, CEO of Austin, Tex.-based CynergisTek, a provider of healthcare information security solutions, and chair of the HIMSS Privacy and Steering Committee.

Officials at South Shore Hospital, a not-for-profit, regional provider of acute, outpatient, home health and hospice care for southeastern Massachusetts, said the files were sent to a professional data management company for off-site destruction on Feb. 26 – and on June 17 the hospital was finally notified that only a portion of the files had been received.

The computer files contained personally identifiable information for patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with the hospital – between Jan. 1, 1996, and Jan. 6, 2010.

If the tapes were encrypted, McMillan says, the hospital wouldn't be having this issue. He points to provisions under the HITECH Act, which state that if lost data is encrypted there is no obligation to report it.

Some of the data was less than a year old, which leaves the hospital with no excuse for not having it encrypted, says McMillan – adding that it would have been possible to encrypt the old data as well. But even without encryption, for an outside source to recover that data on the tapes would take specialized equipment and knowledge, he says.

Although it is not impossible for the information on the back-up tapes to be recovered, it is highly unlikely because the thief would have to have access to the application needed to run the tapes and get the data, McMillan says. It is also highly unlikely that there would be access to such an application away from the hospital.

McMillan recommends that organizations destroy their patient data on-site because it allows them to retain control of the complete process. He points out, however, that there are reputable data management companies, and that organizations simply need to do their homework so they understand the company's processes and how files are received and documented. 

McMillan says that if the hospital had tighter chain of custody processes, it may have been alerted sooner about a problem, and authorities would have a better chance at finding out what happened to this data. "The problem is that if [the hospital] doesn't find out that something went missing until months later, the trail to find it is gone."