South Shore agrees to set­tle in breach in­volv­ing 800,000

Modern Healthcare - - LATEST NEWS -

South Shore Hospi­tal, Wey­mouth, Mass., agreed to a $750,000 set­tle­ment to re­solve a law­suit over a 2010 data breach in­volv­ing the records of 800,000 in­di­vid­u­als. South Shore agreed to pay a $250,000 civil penalty along with $225,000 that will go into a fund set up by At­tor­ney Gen­eral Martha Coak­ley to “pro­mote ed­u­ca­tion con­cern­ing the pro­tec­tion of per­sonal in­for­ma­tion and pro­tected health in­for­ma­tion,” ac­cord­ing to a state­ment Coak­ley’s of­fice is­sued. The agree­ment also cred­its the hospi­tal $275,000 to re­flect se­cu­rity mea­sures the hospi­tal has taken since the breach. The law­suit was filed un­der the Mas­sachusetts Con­sumer Pro­tec­tion Act and the privacy and se­cu­rity pro­vi­sions of the fed­eral Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act, which was amended un­der the 2009 stim­u­lus law to ex­tend en­force­ment au­thor­ity for privacy and se­cu­rity vi­o­la­tions to state at­tor­neys gen­eral. Ac­cord­ing to Coak­ley’s state­ment, in Fe­bru­ary 2010, the hospi­tal shipped three boxes con­tain­ing 473 un­en­crypted backup com­puter tapes with in­di­vid­u­ally iden­ti­fi­able per­sonal health in­for­ma­tion to a contractor, Ar­chive Data So­lu­tions, “to erase the backup tapes and re­sell them.” The hospi­tal didn’t tell Ar­chive Data So­lu­tions what was on the tapes or en­sure that the contractor had ad­e­quate safe­guards in place, and four months later the hospi­tal learned that only one box of tapes ar­rived at its des­ti­na­tion, Coak­ley’s of­fice said. The miss­ing tapes were never re­cov­ered, but “there re­mains no ev­i­dence that any in­for­ma­tion on the files has ever been ac­cessed or used by any­one,” ac­cord­ing to a South Shore state­ment.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.