Hospital Fined $750,000 After Two Boxes of Data Go Missing During Recycling Transport

By Carlton Purvis

Boston’s South Shore Hospital has agreed to pay $750,000 to settle allegations that it failed to protect personal health information of more than 800,000 people, mostly patients, after a breach in 2010.

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” Massachusetts Attorney General Martha Coakley said in a statement announcing the settlement.

In June 2010, South Shore shipped three boxes of 472 unencrypted computer tapes to an off-site location to be erased and recycled. Somewhere between Boston and Texas, two of the three boxes disappeared.

The Massachusetts attorney general’s office says South Shore failed to inform the company contracted to erase the tapes, Archive Data, that the tapes contained protected health information. This information included names, Social Security numbers, addresses, phone number, birth dates, health plan information, according to a press release on the hospital Web site that has since been removed.

The AG says the hospital violated both federal and state law violations with the breach and for failing to ensure Archive Data had procedures in place to safeguard the information.

The missing boxes were never recovered, but to date there have been no reports of unauthorized use of personal information as a result of the breach.

Accessing the data on the tapes is unlikely to be achieved by someone other than a computer expert proficient in large network backup administration who possesses the sophisticated knowledge, time, financial resources, and motivation necessary to overcome a series of obstacles in order to access, aggregate, decipher and ultimately use any protected data on the tapes,” according to an investigation commissioned by South Shore.

The missing boxes are believed to have been discarded in a landfill.

South Shore’s fine includes a $250,000 civil penalty, a payment of $225,000 to the AG’s office to support a program on protecting health information, and $275,000 which is being credited to reflect security measures taken since the breach.

photo by Viama/flickr


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.