South Shore Hospital in South Weymouth, Mass., is defending its decision to not personally notify by postal mail about 800,000 patients affected by a data breach caused when computer tapes sent for destruction were lost.

The hospital reported the breach in July and said it would send letters in four to six weeks following an investigation. Based on that investigation, the hospital announced in recent days it will not notify by mail, but via its Web site, full-page newspaper ads across the state and e-mail if the address is known (see story).

Having worked with the Massachusetts Attorney General and U.S. Department of Health and Human Services' Office for Civil Rights, "we're confident that we have followed all laws that apply," a hospital spokesperson tells Health Data Management.

But whether the hospital can legally skip the individual notification process remains unclear. The federal breach notification rule preempts "contrary" state laws and South Shore cited a state law in its decision not to notify by mail. The Office for Civil Rights, when asked if the hospital had the legal right to not individually notify affected patients, responded, "OCR does not discuss open investigations."

Asked if the decision to forgo mail notification was subject to change, the South Shore spokesperson noted the hospital continues to work with state and federal officials. The spokesperson repeatedly declined to discuss the role that financial cost played in the decision to not mail notifications. "We invested what was necessary to conduct a thorough investigation and to inform the community of our finds."

Asked if the hospital believes its chosen way of notification will reach virtually all affected individuals, the spokesperson says, "We are confident that we are keeping our community fully informed about our findings."

And those findings, under which South Shore believes the missing computer tapes are in a secure landfill, do not justify individual notification, the spokesperson says. Even if someone found the tapes, they would need special software, financial resources, time and expertise to access the data. "Based on results of the investigation, we believe there's little or no risk that the data has been or could be accessed."

--Joseph Goedert

 

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access