Massachusetts Hospital Reports 800,000 Personal Records Missing

A Massachusetts hospital is under scrutiny after hundreds of thousands of patient and employee records went missing earlier this year. The missing files underscore the problems health care providers face when balancing patient privacy and the need to store massive amounts of data, especially as new federal rules for electronic health records come into play.

South Shore Hospital, in South Weymouth, Mass., reported July 19 that it's investigating the potential loss of 800,000 backup files containing personal, health and financial information of patients, physicians and other individuals connected with the medical facility.

The files were sent to a data-management company to be destroyed on Feb. 26, but the hospital was informed on June 17 that only a portion of the backup records had been received and destroyed. It's unknown at what point the files disappeared during the four-month period.

"We engaged a professional data-management company to arrange for the destruction and shipping and it was within this shipping process that these files were lost," Sarah Darcy, spokesperson for South Shore Hospital, told eWEEK. "It was not something that happened on our campus."

South Shore provides acute, outpatient, home health and hospice care and is the largest independently operated hospital in Eastern Massachusetts.

The files may contain information from patients, employees, physicians, volunteers, donors, vendors and other business partners who were affiliated with the hospital between Jan. 1, 1996, and Jan. 6, 2010.

South Shore said it arranged for the files to be destroyed because they were in a file format it no longer uses. According to the hospital, the files may contain personal information such as Social Security numbers, driver's license numbers, data on diagnoses and treatment, and bank account and credit-card information.

The hospital has been in contact with the Massachusetts' Attorney General's office and Department of Public Health, as well as with the U.S. Department of Health and Human Services on this matter, but wouldn't disclose the name of the data-management company or what type of storage device was involved.

The hospital will notify affected individuals in the coming weeks. In the meantime, it is directing people who may be affected to notify credit agencies of possible theft.

Darcy declined to provide specifics because of the ongoing investigation, but she expressed regret for the incident and said the hospital will make sure the problem doesn't reoccur.

"We've apologized and want to apologize as much possible because, in the end, we take responsibility for it," said Darcy. "We are reviewing the policies and procedures, and the outcome of that review will certainly prevent this from ever happening again. Exactly what steps that will be taken post-review I can't say yet, because the review is still under way."

Darcy insisted that it's unlikely the missing data has been accessed.

"There is no evidence from our investigation or from anything that has been reported to the Massachusetts AG's office that any of this information has been accessed—no evidence whatsoever," said Darcy. "It would take special equipment, special software and special knowledge and technical skills to access any of the information on the files, let alone decipher it."

As hospitals move forward with plans for electronic medical records in response to the new meaningful-use guidelines from the U.S. Department of Health and Human Services, data security and privacy will remain a concern.

"We thought we were doing the right thing as far as being stewards of sensitive information," Darcy said.

Nevertheless, when data goes missing, communication with those affected will be essential. "We are dedicated to being transparent, and this is about informing the community," the spokesperson said.