Massachusetts Hospital Agrees to $750,000 Settlement in Data Breach Lawsuit

South Shore Hospital in Massachusetts has agreed with state regulators to pay a $750,000 settlement following the loss of data files in a 2010 security breach.

South Shore Hospital in South Weymouth, Mass., has agreed to a $750,000 settlement for a 2010 data breach involving lost backup files containing health information for 800,000 individuals.

The hospital informed the Massachusetts attorney general's office of a breach in July 2010 and the state filed a lawsuit May 21, 2012. The grounds for the lawsuit were "unfair or deceptive conduct" in violation of the Massachusetts Consumer Protection Act and failure to safeguard patient information under the federal Health Insurance Portability and Accountability Act (HIPAA).

HIPAA violations included a lack of policies and procedures to protect consumers' data, failure to establish a business associate agreement with its data-management company Archive Data and inadequate training of the hospital's workforce with respect to health data privacy, according to the Massachusetts attorney general's office.

A judge awarded a consent judgment, or settlement, on May 24, and the state's attorney general, Martha Coakley, announced the agreement that day.

Protecting information that business associates can access is a requirement under HIPAA. For South Shore Hospital, the business associate was Archive Data. In other cases, attorneys or consultants could fall under this category.

The hospital did not inform Archive Data that the tapes stored health information, the Massachusetts attorney general's office reported.

South Shore Hospital also hadn't determined if Archive Data had taken the necessary steps to protect sensitive information, according to the attorney general.

"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form," Massachusetts Attorney General Martha Coakley said in a statement. "It is their responsibility to understand and comply with the laws of our commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach."

South Shore Hospital is a 318-bed facility that serves southeastern Massachusetts. It will pay a regulatory enforcement fine of $250,000 and a $225,000 contribution to a data-security education fund. The state will credit the hospital for $275,000 for improvements the facility made to its technology and data handling since the breach occurred.

"The state's review has been comprehensive and thorough," Richard H. Aubut, South Shore Hospital's president and CEO, said in a statement. "We appreciate that the attorney general has recognized the steps we've taken to enhance our data-security systems and hope to be able to serve as a source of information about best practices for other health care providers."

The hospital must adopt data-security protocols as part of the agreement. They include undergoing a review of security measures and reporting improvements in data security to the attorney general. The hospital has agreed to abide by regulations regarding contracts with business associates and third parties involved in discarding data.

No evidence exists that the lost backup computer files were accessed, according to the hospital.

"It would take special equipment, special software, and special knowledge and technical skills to access any of the information on the files, let alone decipher it," Sarah Darcy, spokesperson for South Shore Hospital, told eWEEK in 2010 when the incident became public.

The hospital had sent 473 unencrypted backup computer tapes to Archive Data to be destroyed but later learned that the firm had only received and erased one out of three boxes worth of records.

The backup files contained information on patients' names, Social Security numbers, financial account numbers and medical diagnoses.

Another recent data breach that also involved 800,000 potential victims occurred when configuration errors at Utah's Department of Technology Services (DTS) left Social Security numbers from Medicaid claims exposed. The incident also compromised data for children who receive health insurance under the Children's Health Insurance Plan. The director at Utah's DTS division resigned following the incident.

With the number of data breaches increasing, health care organizations need to invest in security measures such as intrusion-protection software and increase the number of audits.