Mass. Hospital Breach Affects 800,000
South Shore Hospital in South Weymouth, Mass., has announced that back-up computer files that were sent to a contractor to be destroyed have been lost, a breach that could affect approximately 800,000 individuals.
The files contained extensive amounts of protected medical and financial information. They were not encrypted because a back-up process for the files did not permit them to be encrypted. Specialized technology and knowledge, however, are required to access the files, according to the hospital.
The hospital has prominently placed a notice of the breach on its Web site, along with a sample notification letter, the steps affected individuals can take to protect their medical and financial information, and a Q&A page. The hospital also has notified state and federal authorities.
The investigation continues and official letters of notification to affected individuals will start going out in four to six weeks, according to a hospital spokesperson. The sample notification letter does not include a hospital offer to provide free credit and identity theft protection services. Once the investigation is complete, the hospital will determine whether such services will be offered, and the sample notification letter is subject to change before being mailed to individuals, according to the spokesperson.
What follows is the hospital's official notice of the breach on its Web site:
"South Shore Hospital today reported that back-up computer files containing personal, health and financial information may have been lost by a professional data management company. The hospital had engaged the company to destroy the files because they were in a format the hospital no longer uses. The hospital has no evidence that information on the back-up computer files has been accessed by anyone. An independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files.
"Based upon South Shore Hospital's investigation so far, the back-up computer files could contain personally identifiable information for approximately 800,000 individuals. Included among those individuals are patients who received medical services at South Shore Hospital - as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital - between January 1, 1996 and January 6, 2010. The information on the back-up computer files may include individuals' full names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files.
"South Shore Hospital's back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.
"South Shore Hospital immediately launched an investigation when it learned that its back-up computer files may have been lost. The investigation has included working with the data management company and shippers to search for the missing back-up computer files, taking steps to verify the scope and types of information contained in the back up computer files, and assessing the possibility that someone could access that information. South Shore Hospital has advised the MA Attorney General's office, the MA Department of Public Health, and the US Department of Health and Human Services about this matter. The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing.
"I am deeply sorry that these files may have been lost," said Richard H. Aubut, South Shore Hospital president and chief executive officer. "Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting. I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information."
"South Shore Hospital is working to verify whose information may have been on the missing back-up computer files. Formal notification letters will be sent to them in the next several weeks. In the meantime, a sample individual notification letter has been posted. While there is no evidence that information on the back-up computer files has been improperly accessed, individuals may take steps to protect themselves, such as obtaining a free credit report, which can be done by visiting www.annualcreditreport.com or calling (877) 322-8228 toll free, or placing a fraud alert on their credit report with one of the three major credit reporting agencies (Equifax, Experian and TransUnion Corp).
"Information about this matter is posted to South Shore Hospital's website at www.southshorehospital.org and is available through a special automated toll-free Information Line at (877) 309-0176."