South Shore Hospital in South Weymouth, Mass., has agreed to a $750,000 settlement over a 2010 data breach that exposed the personal data of 800,000 individuals, Boston Globe's "Business Updates" reports.
In February 2010, South Shore contracted with Pennsylvania-based Archive Data Solutions to erase and re-sell 473 data tapes containing personal information on 800,000 individuals. The data were not encrypted, and South Shore did not tell ADS that the tapes contained sensitive information (Bray, "Business Updates," Boston Globe, 5/24). Data on the tapes included:
- Medical diagnoses;
- Financial account numbers; and
- Social Security numbers (Cheung, FierceHealthcare, 5/25).
The tapes were sent to a Texas subcontractor in three boxes, and the hospital later learned that only one of the boxes had arrived ("Business Updates," Boston Globe, 5/24).
Although the missing boxes have not been found, there have been no reports of unauthorized use of the lost data (Monegain, Healthcare IT News, 5/29).
Details of Lawsuit, Settlement
Following the data breach, Massachusetts Attorney General Martha Coakley (D) sued the hospital ("Business Updates," Boston Globe, 5/24). The lawsuit alleged that the hospital had violated the Massachusetts Consumer Protection Act and HIPAA's privacy and security rules.
Under the settlement, approved by Suffolk Superior Court, the hospital will pay:
- $250,000 as a civil penalty; and
- $225,000 toward a fund established by Coakley to promote education about the protection of health information and other personal data.
The $750,000 settlement also accounted for $275,000 that the hospital already has spent to adopt new security measures (Conn, Modern Healthcare, 5/24).
As part of the settlement, South Shore agreed to undergo a review and audit of certain security measures and report the results and corrective actions to the attorney general (Byers, CMIO, 5/25).
Sarah Darcy -- a spokesperson for South Shore -- said that since the breach, the hospital has "put in a great deal of new measures to protect personal information." She said, "Everything, everything is encrypted now" ("Business Updates," Boston Globe, 5/24).