Massachusetts Hospital Security Breach Affects 800,000
South Weymouth, Mass. South Shore Hospital reported July 19 a massive security breach conceivably affecting some 800,000 individuals—including patients, physicians, employees, donors, volunteers, and vendors. Back-up computer files containing 14 years’ worth of personal health and financial information were lost while in transit to a data management company hired to destroy them.
The files were shipped to the unnamed data management company Feb. 26, but the hospital says it wasn’t until June 17 that the data management company admitted to only receiving and destroying a portion of the shipped back-up computer files.
Compromised information may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information gathered between Jan. 1, 1996 and Jan. 6, 2010. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files, the hospital says.
South Shore says there is no evidence that information on the back-up computer files has been accessed by anyone. An independent information-security consulting firm hired by the hospital confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files. The hospital does not mention in the notice posted on its website whether the data was encrypted.
The Breach Notification Rule requires all HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The Secretary of Health and Human Services (HHS) must post a list of breaches of unsecured PHI affecting 500 or more individuals on the HHS website. South Shore says it is working to verify whose information may have been on the missing back-up computer files and formal notification letters will be sent to those individuals in the next few weeks.