Mass. Breach Could Affect 800,000

Backup Files May Have Been Lost
Mass. Breach Could Affect 800,000
Unencrypted backup computer files containing personal, health and financial information on about 800,000 people may have been lost by a company that a Massachusetts Hospital hired to destroy the files.

South Shore Hospital in South Weymouth, Mass., shipped the back-up files for offsite destruction Feb. 26, 2010. When certificates of destruction were not provided in a timely manner, the hospital sought an explanation from the professional data management company handling the destruction, the hospital said in a statement. On June 17, the company informed the hospital that only a portion of the shipped back-up files had been received and destroyed.

So far, there is no evidence that the information on the missing files has been accessed by anyone, according to the hospital.

The files included information on patients, employees, physicians, volunteers, donors, vendors and other business partners dating from Jan. 1, 1996, to Jan. 6, 2010. Information may have included certain individuals' names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, health plan information, dates of service and diagnosis and treatment information. For a "very small subset" of individuals, information also may have included bank account and credit card numbers, the hospital said.

South Shore has notified the Department of Health and Human Services' Office for Civil Rights as required under the HITECH Act's breach notification rule. It has also notified state authorities.

The hospital will send letters to individuals affected once it verifies whose information may have been included in the missing back-up files. Once the investigation is complete, the hospital will determine whether to provide free credit and identity theft monitoring to any of those affected.

The files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted, the hospital said. "However, specialized software, hardware and technical knowledge and skill would be required for someone to access and decipher the information," according to the hospital's statement.

South Shore has ceased the offsite destruction of back-up computer files "and is putting in place policies to ensure that a similar situation cannot occur," the hospital said.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.