In July 2010, South Shore Hospital announced that boxes containing unencrypted back-up computer tapes with personal data on over 800,000 patients, employees, and others affiliated with the hospital were lost en route to Archive Data Solutions, a data management firm that the hospital paid to dispose of the files.
The Attorney General filed a lawsuit against the hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). The allegations against the hospital in the lawsuit included failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information; failing to have a business associate agreement in place with Archive Data; and failing to properly train its workforce with respect to health data privacy.
As part of the settlement, South Shore Hospital agreed to pay a $250,000 civil penalty and make a $225,000 contribution to a state fund to promote awareness of protected health information protection. The hospital was also credited for the $275,000 it spent on security measures after the breach.
South Shore Hospital has also agreed to take a number of steps to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.