Dispute Arises Over Breach NotificationMass. Attorney General Says Hospital Taking Wrong Approach
When the hospital announced the breach incident in July, it said it planned to send out individual notifications. But following an investigation of the incident involving the loss of two boxes of backup computer tapes, it announced a change in its notification strategy, shifting primarily to newspaper and website announcements instead.
Attorney General Martha Coakley maintains that the hospital should mail notices about the incident to the patients potentially affected, as the hospital originally planned to do. Coakley's office will "continue to monitor and investigate South Shore Hospital's actions with regards to the data breach and its response," according to a statement.
The hospital argues that its new notification strategy is consistent with the "substitute notification strategy" in Massachusetts General Law Chapter 93H. That law says the alternative notification strategy can be used: "If the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."
But under the HITECH interim final breach notification rule, breaches affecting 500 or more individuals must be reported to federal authorities, as well as all the individuals affected, within 60 days. Plus, the federal rule pre-empts "contrary state law."
The Department of Health and Human Services' Office for Civil Rights, which posted a notice of the South Shore Hospital incident on its list of major breaches, declined to comment on the hospital's notification process. "OCR does not discuss open investigations," a spokesman says.
New Details RevealedOn Sept. 8, the hospital posted a lengthy notice on its website offering many new details about the incident. The statement notes the hospital's plans to forgo notifying each individual potentially affected. Instead, the hospital and two other healthcare organizations involved plan to publish notices in the state's largest-circulation newspapers as well as on their websites. Notices also will be displayed at the hospital and in physician offices.
South Shore Hospital acknowledges the missing tapes could have included information on 800,000 individuals. That information may include personal, health and financial information about hospital patients, employees, physicians, volunteers, donors, vendors and others. In addition, the tapes may have included information on patients of Harbor Medical Associates, a physician group, and patients and vendors associated with South Shore Physician Hospital Organization, an integrated delivery system.
"All available evidence indicates that the files are unrecoverable and that there is little to no risk that information on the files has been or could be acquired, accessed or misused," according to the hospital's statement.
Chain of EventsThe hospital says it hired Archive Data Solutions, formerly known as Iron Mountain Data Products, on Feb. 26 to destroy back-up computer tapes that were in a format the hospital no longer used.
Archive Data Solutions subcontracted the work to Graham Magnetics without telling the hospital, hospital executives contend. Then, Graham Magnetics arranged for the three boxes of tapes to be shipped to its Texas facility for destruction.
When the hospital did not receive certificates of destruction in a timely manner, it asked Archive Data Solutions for an explanation. The vendor told the hospital June 17 that its subcontractor, Graham Magnetics, had received and destroyed the contents of just one of the three boxes of computer tapes, but it had not received the other two boxes.
All the parties involved then began an investigation, with the help of Huron Consulting Group. They determined that the unmarked computer tapes were packed in three sealed boxes that were wrapped together on a shipping pallet. There was no indication inside or outside the boxes that they contained confidential information.
The hospital, Huron and R+L Carriers, the company that was supposed to transport the boxes, conducted multi-state searches for the missing cargo. It appears that the three boxes were separated from each other during transport, the hospital says. Once they were separated, two of the three boxes were unidentifiable because they lacked labels. "As a result, those two boxes of computer tapes are believed to have been disposed of in a secure landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable," according to the hospital's statement.
Huron concluded that "even if the tapes were found, specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required" to use the information on the tapes, the hospital says.