South Shore Hospital in South Weymouth, Mass., on July 19 announced that back-up computer files that were sent to a contractor to be destroyed have been lost. The files contained extensive amounts of protected medical and financial information. They were not encrypted because a back-up process for the files did not permit them to be encrypted. Specialized technology and knowledge, however, are required to access the files, according to the hospital.
The files contained personal, clinical and financial information. Affected individuals included patients, employees, physicians, volunteers, donors, vendors and other business partners of the hospital. Those affected also included certain patients and vendors associated with the group practice Harbor Medical Associates and South Shore Physician Hospital Organization. Some of these individuals have never been patients at the hospital.
The hospital in July prominently placed a notice of the breach on its Web site, along with a sample notification letter, the steps affected individuals can take to protect their medical and financial information, and a Q&A page. The hospital also notified state and federal authorities.
The sample letter did not include a hospital offer to provide free credit and identity theft protection services.
A hospital spokesperson in July said that once the investigation was complete, the hospital would determine whether such services would be provided and the sample notification letter was subject to change before being mailed to individuals.
Now, the hospital has determined that risk from the breach is not sufficient to warrant postal mailing individual notification letters. Rather, it will notify individuals via notices in newspapers, on the hospital and affected physician practice Web sites, on signs posted in hospital and provider offices, and by e-mail if the hospital has the e-mail address.
A Massachusetts state law governing security breaches enables an organization to use "substitute" types of notifications "if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice."
It is not clear, however, if the hospital can legally skip the process of notifying affected individuals. The federal interim breach notification rule issued in August 2009 preempts "contrary state law." Under the federal rule, if breached data is unusable, unreadable or indecipherable to unauthorized individuals because of certain encryption or destruction measures taken, notification of the breach is not required.
According to a new statement on the hospital's Web site, the investigation found that the lost computer tapes "are believed" to have been disposed of in a secure commercial landfill that a contractor uses to dispose of unclaimed materials "and are therefore unrecoverable." The hospital in the statement also says "there remains no evidence that any information on the missing back-up computer files has ever been acquired, accessed, or used by anyone."
Still, the hospital believes but cannot prove the data is in a secure landfill. It cannot prove the data is unusable because of certain measures taken. Officials of the Office for Civil Rights in the U.S. Department of Health and Human Services were not immediately available to discuss whether the hospital must under the federal breach law notify individuals.
A hospital spokesperson did not return a telephone call asking for additional information on the decision not to notify individuals.
Massachusetts Attorney General Martha Coakley "has objected to South Shore Hospital's revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss," according to a statement from her office. "The Attorney General's Office will continue to monitor and investigate South Shore Hospital's actions with regards to the data breach and its response."
To access South Shore Hospital's new statement, click here.