Risk
5/29/2012
02:10 PM
50%
50%

Data Breach Costs Massachusetts Hospital $750K

South Shore Hospital pays a hefty $750,000 to settle a lawsuit alleging that it failed to protect personal and confidential patient information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
South Shore Hospital, based in Weymouth, Mass., paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information (ePHI). The hospital is charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers, and medical diagnoses of 800,000 individuals.

News of the settlement came in a statement from the Massachusetts Attorney General's office dated May 24th. According to the consent judgment approved in the Suffolk Superior Court, South Shore Hospital will pay a $250,000 civil penalty and $225,000 toward an education fund that will be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information. The consent judgment credits South Shore Hospital for the additional $275,000 the hospital spent to beef up its security measures in the aftermath of the data breach.

According to Massachusetts attorney general Martha Coakley, hospitals and other entities that handle personal and protected health information are obligated to properly protect sensitive data, whether it is in paper or electronic form.

"It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach," Coakley said.

[ ONC guidelines recommend that medical practices establish a privacy and security officer to help safeguard patient data. Read more at ONC To Medical Practices: Get A Security Officer. ]

The data breach was reported to the Attorney General's Office in July 2010, and a subsequent investigation found that in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted backup computer tapes with 800,000 individuals' personal information and protected health information off-site to be erased. The hospital contracted with Phoenixville, Pa.-based Archive Data Solutions to erase the backup tapes and resell them.

However, the hospital did not inform Archive Data that the backup computer tapes contained personal information and protected health information; nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Further complicating matters, the investigation showed that multiple companies handled the shipping of the boxes containing the tapes.

In June 2010, South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The other missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

In an interview, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, said the investigation's findings reveal many points of internal breakdown in South Shore Hospital's policies and procedures to protect patients' ePHI. According to Berger, this could have been preempted had a comprehensive security risk analysis been conducted prior to the incident.

He also said the findings of the Massachusetts Attorney General's investigation raises serious questions, including why the data was unencypted. According to Berger, encrypting patient data is an addressable requirement under HIPAA, and if the hospital chose not to encrypt, they were required to implement comparable means of protecting the data.

The investigation also raised other troubling questions. "Why didn't South Shore sign a Business Associate agreement with Archive Data?" Berger said. "Additionally, the hospital should have known that its custodial responsibility in regard to safeguarding protected health information (PHI) pertains to all copies of the data, whether in use at the hospital or at a business partner, and extends through the 'life cycle' of that data--all the way through to disposal."

The allegations in the lawsuit against South Shore Hospital were based on violations of the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). Among the violations are failing to implement appropriate safeguards, policies, and procedures to protect consumers' information; failing to have a Business Associate Agreement in place with Archive Data Solutions; and failing to properly train workforce with respect to health data privacy.

To better protect patient information, South Shore Hospital has agreed to adopt a number of measures to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetireIT
50%
50%
RetireIT,
User Rank: Apprentice
5/30/2012 | 3:11:36 PM
re: Data Breach Costs Massachusetts Hospital $750K
Both SSH and Archive Data were asleep at the wheel. Archive Data said it tried for about a month to track down the tapes before notifying the hospital. Where in Texas did Archive Data send the tapes? How were they shipped? It doesnG«÷t take a month to determine the loss. Clearly SSH lacked adequate controls and proper monitoring. SSH outsourced to Archive Data without proper vetting. Huron Consulting was hired to say there was no Significant Risk of harm to individuals. Organizations should put adequate controls in place to manage ITAD in order to safeguard PII instead of making excuses.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?