Just came across a press release “South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers.” The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses.
The case began in February 2010, when South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them. In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date. You can read the full press release here.
Clearly there are a number of problem areas that are both federal and state violations namely:
- Having ePHI ( electronic protected health information) stored in an unencrypted form, making it possible for unauthorized personnel with right tools to access it. The encryption of data would have protected the data from unauthorized access and would also have created a “safe harbor” situation for the hospital wherein they wouldn’t have had report the data breach.
- Not having well documented policies and procedures for data disposal. The hospital should have had a Data destruction Policy that clearly outlined the steps that needed to be followed right from the moment the boxes were loaded on to the truck to the timely verification and acknowledgement of receipt by the data disposal company.
- The hospital did not have a Business Associate (BA) agreement with the data disposal company and failed to notify them that the boxes contained ePHI. Having a BA agreement would have ensured that every one involved in the process was aware of their responsibilities under federal and state security laws and regulations.
- Since there was no documented data destruction policy in place, the hospital staff was not properly trained with respect to data security/privacy issues.