South Shore agrees to settle in breach involving 800,000
South Shore Hospital, Weymouth, Mass., agreed to a $750,000 settlement to resolve a lawsuit over a 2010 data breach involving the records of 800,000 individuals. South Shore agreed to pay a $250,000 civil penalty along with $225,000 that will go into a fund set up by Attorney General Martha Coakley to “promote education concerning the protection of personal information and protected health information,” according to a statement Coakley’s office issued. The agreement also credits the hospital $275,000 to reflect security measures the hospital has taken since the breach. The lawsuit was filed under the Massachusetts Consumer Protection Act and the privacy and security provisions of the federal Health Insurance Portability and Accountability Act, which was amended under the 2009 stimulus law to extend enforcement authority for privacy and security violations to state attorneys general. According to Coakley’s statement, in February 2010, the hospital shipped three boxes containing 473 unencrypted backup computer tapes with individually identifiable personal health information to a contractor, Archive Data Solutions, “to erase the backup tapes and resell them.” The hospital didn’t tell Archive Data Solutions what was on the tapes or ensure that the contractor had adequate safeguards in place, and four months later the hospital learned that only one box of tapes arrived at its destination, Coakley’s office said. The missing tapes were never recovered, but “there remains no evidence that any information on the files has ever been accessed or used by anyone,” according to a South Shore statement.