Under the agreement, the fined amount is $750,000 but the hospital will be credited $275,000 as recognition of investments it has made in improving information security. The hospital will pay a $250,000 regulatory enforcement payment and make a $225,000 contribution to a data security education fund.
The hospital sent hundreds of back-up computer tapes in three boxes to a contractor for destruction in February 2010, but the contractor only received one box. The contractor did not notify South Shore until June 2010. The boxes were never found and following an investigation South Shore said it believed but could not prove that the boxes were disposed of in a secure landfill.
For your consideration: Keeping an Eye on Business Associates
Compromised information may have included name, address, phone number, date of birth, Social Security number, medical record number, patient number, health plan information, dates of service, diagnoses and treatments. For a “very small subset” of individuals, bank account and credit card numbers may have been on the files, according to the hospital. The hospital did not offer paid credit or identity protection services.
South Shore announced the breach in July 2010 by placing a prominent notice on its Web site, and said the investigation continued and notification letters would go out in four to six weeks.
In September 2010, the hospital said it had determined that the breach is not sufficient to warrant postal mailing individual notification letters. Rather, it would notify affected patients via notices in newspapers, on the hospital and affected physician practice Web sites, on signs posted in hospital and provider offices, and by email if the address was available. South Shore cited a state law that permits alternative notification if the cost of individual notification will exceed $250,000 or the breach affects more than 500,000 residents.