By Amy Crafts
Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.
In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.
Full Story via Proskauer Privacy Blog