Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2012
02:10 PM
50%
50%

Data Breach Costs Massachusetts Hospital $750K

South Shore Hospital pays a hefty $750,000 to settle a lawsuit alleging that it failed to protect personal and confidential patient information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
South Shore Hospital, based in Weymouth, Mass., paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information (ePHI). The hospital is charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers, and medical diagnoses of 800,000 individuals.

News of the settlement came in a statement from the Massachusetts Attorney General's office dated May 24th. According to the consent judgment approved in the Suffolk Superior Court, South Shore Hospital will pay a $250,000 civil penalty and $225,000 toward an education fund that will be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information. The consent judgment credits South Shore Hospital for the additional $275,000 the hospital spent to beef up its security measures in the aftermath of the data breach.

According to Massachusetts attorney general Martha Coakley, hospitals and other entities that handle personal and protected health information are obligated to properly protect sensitive data, whether it is in paper or electronic form.

"It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach," Coakley said.

[ ONC guidelines recommend that medical practices establish a privacy and security officer to help safeguard patient data. Read more at ONC To Medical Practices: Get A Security Officer. ]

The data breach was reported to the Attorney General's Office in July 2010, and a subsequent investigation found that in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted backup computer tapes with 800,000 individuals' personal information and protected health information off-site to be erased. The hospital contracted with Phoenixville, Pa.-based Archive Data Solutions to erase the backup tapes and resell them.

However, the hospital did not inform Archive Data that the backup computer tapes contained personal information and protected health information; nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Further complicating matters, the investigation showed that multiple companies handled the shipping of the boxes containing the tapes.

In June 2010, South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The other missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

In an interview, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, said the investigation's findings reveal many points of internal breakdown in South Shore Hospital's policies and procedures to protect patients' ePHI. According to Berger, this could have been preempted had a comprehensive security risk analysis been conducted prior to the incident.

He also said the findings of the Massachusetts Attorney General's investigation raises serious questions, including why the data was unencypted. According to Berger, encrypting patient data is an addressable requirement under HIPAA, and if the hospital chose not to encrypt, they were required to implement comparable means of protecting the data.

The investigation also raised other troubling questions. "Why didn't South Shore sign a Business Associate agreement with Archive Data?" Berger said. "Additionally, the hospital should have known that its custodial responsibility in regard to safeguarding protected health information (PHI) pertains to all copies of the data, whether in use at the hospital or at a business partner, and extends through the 'life cycle' of that data--all the way through to disposal."

The allegations in the lawsuit against South Shore Hospital were based on violations of the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). Among the violations are failing to implement appropriate safeguards, policies, and procedures to protect consumers' information; failing to have a Business Associate Agreement in place with Archive Data Solutions; and failing to properly train workforce with respect to health data privacy.

To better protect patient information, South Shore Hospital has agreed to adopt a number of measures to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetireIT
50%
50%
RetireIT,
User Rank: Apprentice
5/30/2012 | 3:11:36 PM
re: Data Breach Costs Massachusetts Hospital $750K
Both SSH and Archive Data were asleep at the wheel. Archive Data said it tried for about a month to track down the tapes before notifying the hospital. Where in Texas did Archive Data send the tapes? How were they shipped? It doesnGt take a month to determine the loss. Clearly SSH lacked adequate controls and proper monitoring. SSH outsourced to Archive Data without proper vetting. Huron Consulting was hired to say there was no Significant Risk of harm to individuals. Organizations should put adequate controls in place to manage ITAD in order to safeguard PII instead of making excuses.
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.