South Shore Hospital's security mistake results in $750K settlement

OOPS - 42.86 Kb
South Shore Hospital in Boston has agreed to pay $750,000 to resolve allegations because the provider failed to protect the personal and confidential health information of more than 800,000 consumers, Massachusetts Attorney General Martha Coakley announced. The investigation and settlement resulted from a data breach reported to the AG’s office in July 2010 that included individual’s names, Social Security numbers, financial account numbers and medical diagnoses.

In February 2010, South Shore shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them, according to a release from the state attorney general.

The hospital did not inform Archive Data, the office added, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information.

South Shore learned only one of the boxes arrived at its destination in Texas in June 2010. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date, the release noted.

The consent judgment approved in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the attorney general’s office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.

According to the consent judgment, South Shore Hospital also has agreed to take a variety of steps to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes.

The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”