South Shore Hospital in Weymouth, Mass., has agreed to a $750,000 settlement with the state Office of Attorney General following a breach of protected health information that affected about 800,000 patients in 2010.

Under the agreement, the fined amount is $750,000 but the hospital will be credited $275,000 as recognition of investments it has made in improving information security. The hospital will pay a $250,000 regulatory enforcement payment and make a $225,000 contribution to a data security education fund.

The hospital sent hundreds of back-up computer tapes in three boxes to a contractor for destruction in February 2010, but the contractor only received one box. The contractor did not notify South Shore until June 2010. The boxes were never found and following an investigation South Shore said it believed but could not prove that the boxes were disposed of in a secure landfill.

For your consideration: Keeping an Eye on Business Associates

Compromised information may have included name, address, phone number, date of birth, Social Security number, medical record number, patient number, health plan information, dates of service, diagnoses and treatments. For a “very small subset” of individuals, bank account and credit card numbers may have been on the files, according to the hospital. The hospital did not offer paid credit or identity protection services.

South Shore announced the breach in July 2010 by placing a prominent notice on its Web site, and said the investigation continued and notification letters would go out in four to six weeks.

In September 2010, the hospital said it had determined that the breach is not sufficient to warrant postal mailing individual notification letters. Rather, it would notify affected patients via notices in newspapers, on the hospital and affected physician practice Web sites, on signs posted in hospital and provider offices, and by email if the address was available. South Shore cited a state law that permits alternative notification if the cost of individual notification will exceed $250,000 or the breach affects more than 500,000 residents.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access