Massachusetts hospital to pay $750,000 to settle data breach case
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 patients, The settlement is the result of a data breach reported to the Attorney General’s Office in July 2010.
Attorney General Martha Coakley announced the settlement May 24.
The alleged breach included individual’s names, Social Security numbers, financial account numbers and medical diagnoses.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” Coakley said in announcing the settlement. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”
The consent judgment approved in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the Massachusetts Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.
The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA).
According to the AG’s findings, in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes, which contained 800,000 individuals' personal information and protected health information, off-site to be erased. The hospital contracted with Archive Data Solutions to erase the backup tapes and resell them.
The hospital did not inform Archive Data, however, that personal information and protected health information was on the backup computer tapes, nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.
In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.
The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.
According to the consent judgment, South Shore Hospital has also agreed to take steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.
South Shore, a 318-bed hospital, serves southeastern Massachusetts. The Boston Globe has reported thtat Boston-based Partners HealthCare System has been in talks to acquire the hospital.