South Shore Hospital data breach may affect up to 800,000; contractor named

South Shore Hospital, located in South Weymouth, Mass., posted notification of the data breach on its website earlier this week. The hospital, which is in the process of personally notifying affected individuals via conventional mail, said the incident occurred this past February when it sent outdated data files to a professional data management company to have them destroyed.

A lengthy list of those affected includes patients, employees, donors, volunteers, vendors, and other partners – up to 800 000 in all, from January 1996 through January of this year. A host of personal information was contained on the files, from driver’s license numbers, SSNs, medical records, and even banking details for what South Shore said is “a small subset”.

South Shore said it shipped the backup files to the then unnamed contractor but was informed months later that only a fraction of the boxes were received. This set in motion the necessary HIPPA reporting process, as South Shore informed the Massachusetts Attorney General, the Massachusetts Department of Health, and the US Department of Health and Human Services about the potential data breach.

A spokesperson for South Shore Hospital told Infosecurity that details of the case could not be disclosed because of the ongoing investigation, including the name of the data management company it used.

But it has come to our attention that Archive Data Solutions – formerly known as Iron Mountain Data Products – was the other party involved, which has been confirmed by the Department of Health and Human Services via its Health Information Privacy disclosure website. The HITECH act of 2009 requires that all data breaches affecting the private medical information of more than 500 individuals be posted on the department’s website.

“Iron Mountain Incorporated and its affiliates were not involved with the incident that South Shore Hospital says led to losing several of its computer backup tapes. Archive Data Solutions ( was the vendor”, an Iron Mountain spokesperson told Infosecurity.

“Until recently, Archive Data Solutions – which is not a subsidiary or affiliate of Iron Mountain – operated under the name ‘Iron Mountain Data Products’. Archive Data Solutions previously licensed the ‘Iron Mountain’ name specifically for the sale of data products, not services apparently related to this incident”, the spokesperson added.

Archive Data Solutions did not return requests for comment.

What’s Hot on Infosecurity Magazine?