Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2012
02:10 PM
50%
50%

Data Breach Costs Massachusetts Hospital $750K

South Shore Hospital pays a hefty $750,000 to settle a lawsuit alleging that it failed to protect personal and confidential patient information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
South Shore Hospital, based in Weymouth, Mass., paid $750,000 to settle a lawsuit alleging that it failed to protect patients' electronic health information (ePHI). The hospital is charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers, and medical diagnoses of 800,000 individuals.

News of the settlement came in a statement from the Massachusetts Attorney General's office dated May 24th. According to the consent judgment approved in the Suffolk Superior Court, South Shore Hospital will pay a $250,000 civil penalty and $225,000 toward an education fund that will be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information. The consent judgment credits South Shore Hospital for the additional $275,000 the hospital spent to beef up its security measures in the aftermath of the data breach.

According to Massachusetts attorney general Martha Coakley, hospitals and other entities that handle personal and protected health information are obligated to properly protect sensitive data, whether it is in paper or electronic form.

"It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach," Coakley said.

[ ONC guidelines recommend that medical practices establish a privacy and security officer to help safeguard patient data. Read more at ONC To Medical Practices: Get A Security Officer. ]

The data breach was reported to the Attorney General's Office in July 2010, and a subsequent investigation found that in February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted backup computer tapes with 800,000 individuals' personal information and protected health information off-site to be erased. The hospital contracted with Phoenixville, Pa.-based Archive Data Solutions to erase the backup tapes and resell them.

However, the hospital did not inform Archive Data that the backup computer tapes contained personal information and protected health information; nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Further complicating matters, the investigation showed that multiple companies handled the shipping of the boxes containing the tapes.

In June 2010, South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The other missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

In an interview, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, said the investigation's findings reveal many points of internal breakdown in South Shore Hospital's policies and procedures to protect patients' ePHI. According to Berger, this could have been preempted had a comprehensive security risk analysis been conducted prior to the incident.

He also said the findings of the Massachusetts Attorney General's investigation raises serious questions, including why the data was unencypted. According to Berger, encrypting patient data is an addressable requirement under HIPAA, and if the hospital chose not to encrypt, they were required to implement comparable means of protecting the data.

The investigation also raised other troubling questions. "Why didn't South Shore sign a Business Associate agreement with Archive Data?" Berger said. "Additionally, the hospital should have known that its custodial responsibility in regard to safeguarding protected health information (PHI) pertains to all copies of the data, whether in use at the hospital or at a business partner, and extends through the 'life cycle' of that data--all the way through to disposal."

The allegations in the lawsuit against South Shore Hospital were based on violations of the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). Among the violations are failing to implement appropriate safeguards, policies, and procedures to protect consumers' information; failing to have a Business Associate Agreement in place with Archive Data Solutions; and failing to properly train workforce with respect to health data privacy.

To better protect patient information, South Shore Hospital has agreed to adopt a number of measures to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the attorney general.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetireIT
50%
50%
RetireIT,
User Rank: Apprentice
5/30/2012 | 3:11:36 PM
re: Data Breach Costs Massachusetts Hospital $750K
Both SSH and Archive Data were asleep at the wheel. Archive Data said it tried for about a month to track down the tapes before notifying the hospital. Where in Texas did Archive Data send the tapes? How were they shipped? It doesnGt take a month to determine the loss. Clearly SSH lacked adequate controls and proper monitoring. SSH outsourced to Archive Data without proper vetting. Huron Consulting was hired to say there was no Significant Risk of harm to individuals. Organizations should put adequate controls in place to manage ITAD in order to safeguard PII instead of making excuses.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.