Mass. hospital: Back-up data for 800,000 may be lost

South Shore Hospital of South Weymouth, Mass., has reported that back-up computer files for approximately 800,000 individuals that could contain personally identifiable personal, health and financial information may have been lost by a professional data management company.

The hospital has no evidence that information on the back-up computer files has been accessed by anyone, according to a statement on the South Shore Hospital's website. The lost files were in a format the hospital no longer uses, and an independent information security consulting firm has confirmed that specialized software, hardware and technical expertise would be required to access information on the files, the hospital said.

The lost files included personal information about patients who received medical services at the hospital, along with employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital between Jan. 1, 1996, and Jan. 6, 2010.

Information on the missing back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, patient numbers, health plan information, dates of service and protected health information, including diagnoses and treatments relating to certain hospital and home healthcare visits and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up files, the hospital reported.

The back-up computer files were shipped for offsite destruction on Feb. 26. “When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation,” according to the statement. “South Shore Hospital was finally informed on June 17 that only a portion of the shipped back-up computer files had been received and destroyed.”

South Shore Hospital launched an investigation when it learned the files may have been lost. The investigation has included working with the data management company and shippers to search for the missing back-up computer files, taking steps to verify the scope and types of information contained in the back-up computer files and assessing the possibility that someone could access that information.

In addition, the hospital said it has advised the state Attorney General’s office, the state Department of Public Health, and the U.S. Department of Health and Human Services; has ceased offsite destruction of back-up computer files; and is enacting policies to ensure that a similar situation cannot occur again.

South Shore Hospital is working to verify whose information may have been on the missing back-up computer files, according to the statement. Formal notification letters will be sent in the next several weeks, and a sample notification letter has been posted on the hospital’s website.

"While there is no evidence that information on the back-up computer files has been improperly accessed, individuals may take steps to protect themselves,” the hospital said. Individuals can obtain a free credit report by visiting www.annualcreditreport.com or calling (877) 322-8228 toll free, or placing a fraud alert on their credit report.