Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2012
02:10 PM
50%
50%

Data Breach Costs Massachusetts Hospital $750K

South Shore Hospital pays a hefty $750,000 to settle a lawsuit alleging that it failed to protect personal and confidential patient information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
South Shore Hospital, based in Weymouth, Mass., paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information (ePHI). The hospital is charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers, and medical diagnoses of 800,000 individuals.

News of the settlement came in a statement from the Massachusetts Attorney General's office dated May 24th. According to the consent judgment approved in the Suffolk Superior Court, South Shore Hospital will pay a $250,000 civil penalty and $225,000 toward an education fund that will be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information. The consent judgment credits South Shore Hospital for the additional $275,000 the hospital spent to beef up its security measures in the aftermath of the data breach.

According to Massachusetts attorney general Martha Coakley, hospitals and other entities that handle personal and protected health information are obligated to properly protect sensitive data, whether it is in paper or electronic form.

"It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach," Coakley said.

[ ONC guidelines recommend that medical practices establish a privacy and security officer to help safeguard patient data. Read more at ONC To Medical Practices: Get A Security Officer. ]

The data breach was reported to the Attorney General's Office in July 2010, and a subsequent investigation found that in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted backup computer tapes with 800,000 individuals' personal information and protected health information off-site to be erased. The hospital contracted with Phoenixville, Pa.-based Archive Data Solutions to erase the backup tapes and resell them.

However, the hospital did not inform Archive Data that the backup computer tapes contained personal information and protected health information; nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Further complicating matters, the investigation showed that multiple companies handled the shipping of the boxes containing the tapes.

In June 2010, South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The other missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

In an interview, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, said the investigation's findings reveal many points of internal breakdown in South Shore Hospital's policies and procedures to protect patients' ePHI. According to Berger, this could have been preempted had a comprehensive security risk analysis been conducted prior to the incident.

He also said the findings of the Massachusetts Attorney General's investigation raises serious questions, including why the data was unencypted. According to Berger, encrypting patient data is an addressable requirement under HIPAA, and if the hospital chose not to encrypt, they were required to implement comparable means of protecting the data.

The investigation also raised other troubling questions. "Why didn't South Shore sign a Business Associate agreement with Archive Data?" Berger said. "Additionally, the hospital should have known that its custodial responsibility in regard to safeguarding protected health information (PHI) pertains to all copies of the data, whether in use at the hospital or at a business partner, and extends through the 'life cycle' of that data--all the way through to disposal."

The allegations in the lawsuit against South Shore Hospital were based on violations of the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). Among the violations are failing to implement appropriate safeguards, policies, and procedures to protect consumers' information; failing to have a Business Associate Agreement in place with Archive Data Solutions; and failing to properly train workforce with respect to health data privacy.

To better protect patient information, South Shore Hospital has agreed to adopt a number of measures to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetireIT
50%
50%
RetireIT,
User Rank: Apprentice
5/30/2012 | 3:11:36 PM
re: Data Breach Costs Massachusetts Hospital $750K
Both SSH and Archive Data were asleep at the wheel. Archive Data said it tried for about a month to track down the tapes before notifying the hospital. Where in Texas did Archive Data send the tapes? How were they shipped? It doesnGt take a month to determine the loss. Clearly SSH lacked adequate controls and proper monitoring. SSH outsourced to Archive Data without proper vetting. Huron Consulting was hired to say there was no Significant Risk of harm to individuals. Organizations should put adequate controls in place to manage ITAD in order to safeguard PII instead of making excuses.
Greater Focus on Privacy Pays Off for Firms
Robert Lemos, Contributing Writer,  1/27/2020
Average Ransomware Payments More Than Doubled in Q4 2019
Jai Vijayan, Contributing Writer,  1/27/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3215
PUBLISHED: 2020-01-29
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function.
CVE-2019-18634
PUBLISHED: 2020-01-29
In Sudo through 1.8.29, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist onl...
CVE-2013-2568
PUBLISHED: 2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.
CVE-2013-2569
PUBLISHED: 2020-01-29
A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream.
CVE-2013-2570
PUBLISHED: 2020-01-29
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code.