Mass. Breach Could Affect 800,000Backup Files May Have Been Lost
South Shore Hospital in South Weymouth, Mass., shipped the back-up files for offsite destruction Feb. 26, 2010. When certificates of destruction were not provided in a timely manner, the hospital sought an explanation from the professional data management company handling the destruction, the hospital said in a statement. On June 17, the company informed the hospital that only a portion of the shipped back-up files had been received and destroyed.
So far, there is no evidence that the information on the missing files has been accessed by anyone, according to the hospital.
The files included information on patients, employees, physicians, volunteers, donors, vendors and other business partners dating from Jan. 1, 1996, to Jan. 6, 2010. Information may have included certain individuals' names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, health plan information, dates of service and diagnosis and treatment information. For a "very small subset" of individuals, information also may have included bank account and credit card numbers, the hospital said.
South Shore has notified the Department of Health and Human Services' Office for Civil Rights as required under the HITECH Act's breach notification rule. It has also notified state authorities.
The hospital will send letters to individuals affected once it verifies whose information may have been included in the missing back-up files. Once the investigation is complete, the hospital will determine whether to provide free credit and identity theft monitoring to any of those affected.
The files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted, the hospital said. "However, specialized software, hardware and technical knowledge and skill would be required for someone to access and decipher the information," according to the hospital's statement.
South Shore has ceased the offsite destruction of back-up computer files "and is putting in place policies to ensure that a similar situation cannot occur," the hospital said.