South Shore Hospital in Massachusetts reveals that backup files containing patient and employee information have disappeared. An investigation to determine what happened to the data is under way.
A Massachusetts hospital is
under scrutiny after hundreds of thousands of patient and employee records went
missing earlier this year. The missing files underscore the problems health
care providers face when balancing patient privacy and the need to store
massive amounts of data, especially as new federal rules for electronic health
records come into play.
, in South Weymouth, Mass., reported July 19 that it's
investigating the potential loss of 800,000 backup files containing personal,
health and financial information of patients, physicians and other individuals
connected with the medical facility.
The files were sent to a data-management company to be destroyed on Feb. 26,
but the hospital was informed on June 17 that only a portion of the backup
records had been received and destroyed. It's unknown at what point the files
disappeared during the four-month period.
"We engaged a professional data-management company to arrange for the
destruction and shipping and it was within this shipping process that these
files were lost," Sarah Darcy, spokesperson for South
told eWEEK. "It was not
something that happened on our campus."
provides acute, outpatient, home health and hospice care and is the largest
independently operated hospital in Eastern Massachusetts.
The files may contain information from patients, employees, physicians,
volunteers, donors, vendors and other business partners who were affiliated
with the hospital between Jan. 1, 1996,
and Jan. 6, 2010.
said it arranged for the files to be destroyed because they were in a file
format it no longer uses. According to the hospital, the files may contain
personal information such as Social Security numbers, driver's license numbers,
data on diagnoses and treatment, and bank account and credit-card information.
The hospital has been in contact with the Massachusetts' Attorney General's
office and Department of Public Health, as well as with the U.S. Department of
Health and Human Services on this matter, but wouldn't disclose the name of the
data-management company or what type of storage device was involved.
The hospital will notify affected individuals in the coming weeks. In the
meantime, it is directing people who may be affected to notify credit agencies
of possible theft.
Darcy declined to provide specifics because of the ongoing investigation, but
she expressed regret for the incident and said the hospital will make sure the
problem doesn't reoccur.
"We've apologized and want to apologize as much possible because, in
the end, we take responsibility for it," said Darcy. "We are
reviewing the policies and procedures, and the outcome of that review will
certainly prevent this from ever happening again. Exactly what steps that will
be taken post-review I can't say yet, because the review is still under
Darcy insisted that it's unlikely the missing data has been accessed.
"There is no evidence from our investigation or from anything that has
been reported to the Massachusetts AG's office that any of this information has
been accessed-no evidence whatsoever," said Darcy. "It would take
special equipment, special software and special knowledge and technical skills
to access any of the information on the files, let alone decipher it."
As hospitals move forward with plans for electronic medical records in
response to the new meaningful-use guidelines
from the U.S. Department of Health and Human Services
, data security
and privacy will remain a concern.
"We thought we were doing the right thing as far as being stewards of
sensitive information," Darcy said.
Nevertheless, when data goes missing, communication with those affected will
be essential. "We are dedicated to being transparent, and this is about
informing the community," the spokesperson said.