Risk
5/29/2012
02:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Breach Costs Massachusetts Hospital $750K

South Shore Hospital pays a hefty $750,000 to settle a lawsuit alleging that it failed to protect personal and confidential patient information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
South Shore Hospital, based in Weymouth, Mass., paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information (ePHI). The hospital is charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers, and medical diagnoses of 800,000 individuals.

News of the settlement came in a statement from the Massachusetts Attorney General's office dated May 24th. According to the consent judgment approved in the Suffolk Superior Court, South Shore Hospital will pay a $250,000 civil penalty and $225,000 toward an education fund that will be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information. The consent judgment credits South Shore Hospital for the additional $275,000 the hospital spent to beef up its security measures in the aftermath of the data breach.

According to Massachusetts attorney general Martha Coakley, hospitals and other entities that handle personal and protected health information are obligated to properly protect sensitive data, whether it is in paper or electronic form.

"It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach," Coakley said.

[ ONC guidelines recommend that medical practices establish a privacy and security officer to help safeguard patient data. Read more at ONC To Medical Practices: Get A Security Officer. ]

The data breach was reported to the Attorney General's Office in July 2010, and a subsequent investigation found that in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted backup computer tapes with 800,000 individuals' personal information and protected health information off-site to be erased. The hospital contracted with Phoenixville, Pa.-based Archive Data Solutions to erase the backup tapes and resell them.

However, the hospital did not inform Archive Data that the backup computer tapes contained personal information and protected health information; nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Further complicating matters, the investigation showed that multiple companies handled the shipping of the boxes containing the tapes.

In June 2010, South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The other missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

In an interview, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, said the investigation's findings reveal many points of internal breakdown in South Shore Hospital's policies and procedures to protect patients' ePHI. According to Berger, this could have been preempted had a comprehensive security risk analysis been conducted prior to the incident.

He also said the findings of the Massachusetts Attorney General's investigation raises serious questions, including why the data was unencypted. According to Berger, encrypting patient data is an addressable requirement under HIPAA, and if the hospital chose not to encrypt, they were required to implement comparable means of protecting the data.

The investigation also raised other troubling questions. "Why didn't South Shore sign a Business Associate agreement with Archive Data?" Berger said. "Additionally, the hospital should have known that its custodial responsibility in regard to safeguarding protected health information (PHI) pertains to all copies of the data, whether in use at the hospital or at a business partner, and extends through the 'life cycle' of that data--all the way through to disposal."

The allegations in the lawsuit against South Shore Hospital were based on violations of the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). Among the violations are failing to implement appropriate safeguards, policies, and procedures to protect consumers' information; failing to have a Business Associate Agreement in place with Archive Data Solutions; and failing to properly train workforce with respect to health data privacy.

To better protect patient information, South Shore Hospital has agreed to adopt a number of measures to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetireIT
50%
50%
RetireIT,
User Rank: Apprentice
5/30/2012 | 3:11:36 PM
re: Data Breach Costs Massachusetts Hospital $750K
Both SSH and Archive Data were asleep at the wheel. Archive Data said it tried for about a month to track down the tapes before notifying the hospital. Where in Texas did Archive Data send the tapes? How were they shipped? It doesnGÇÖt take a month to determine the loss. Clearly SSH lacked adequate controls and proper monitoring. SSH outsourced to Archive Data without proper vetting. Huron Consulting was hired to say there was no Significant Risk of harm to individuals. Organizations should put adequate controls in place to manage ITAD in order to safeguard PII instead of making excuses.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.