Boston’s South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the confidential health information of more than 800,000 patients. Although the matter was not brought as a HIPAA violation (although it could have been), the settlement resulted from a data breach that South Shore reported to the Massachusetts Attorney General’s office in July 2010 that included individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.
Earlier that year, South Shore had shipped boxes containing 473 unencrypted backup computer tapes with 800,000 individuals’ protected health information (“PHI) offsite to be erased. The hospital contracted with Archive Data Solutions to erase the backup tapes and resell them, according to a release from the state attorney general.
The hospital did not inform Archive Data, the office added, that personal information and PHI was on the backup computer tapes, nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information.
Only one of the boxes arrived. The missing boxes have not been recovered.
The consent judgment approved in the Massachusetts state court includes a $250,000 civil penalty and a payment of $225,000 for a fund to be used by the attorney general to promote education concerning the protection of personal information and PHI.
In addition to this penalty, South Shore Hospital spent $275,000 to implement security measures to prevent this type of breach in the future, such as taking steps to ensure compliance with state and federal data security requirements, including better compliance with business associate contracts. It also agreed to undergo a review and audit of its security measures and to report the results and corrective actions to the attorney general.