May 25, 2012

Hospital agrees to pay $750,000 over data breach allegations

A Massachusetts hospital has agreed to settle in court to the sum of $750,000 over allegations concerning its failure to protect sensitive patient data.

According to a statement released by the Massachusetts Attorney General's (AG) office, a consent judgment approved in Suffolk Superior Court involving South Shore Hospital includes a $250,000 civil penalty and a payment of $225,000 to be used by the AG's office to create awareness concerning data security and sensitive information.

The hospital was credited $275,000 “to reflect security measures it has taken subsequent to the breach.”

In February 2010, three boxes containing 473 unencrypted tapes with the personal and confidential information of 800,000 people, was shipped by South Shore Hospital to data management contractor Archive Data Solutions, which was to erase the information, then resell the tapes, the statement said.

In June 2010, the hospital learned that only one of the boxes had arrived.

Among the information included on the back-up tapes were Social Security numbers, addresses, phone numbers, birth dates, health plan information, in addition to diagnoses and treatments.

The statement reveals that the hospital not only failed to notify Archive Data Solutions of the sensitive information stored on the files, but did not establish if the contractor had the proper security measures in place to protect the information, thus violating the federal Health Insurance Portability and Accountability Act (HIPAA).

"We appreciate that the Attorney General has recognized the steps we've taken to enhance our data-security systems and hope to be able to serve as a source of information about best practices for other health care providers,” said Richard H. Aubut, South Shore Hospital president and chief executive officer, in a statement released Thursday by the hospital.

Data security law enforcement has been on the rise and fines have been prevalent, as is the case with a recent settlement involving BlueCross BlueShield of Tennessee.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.