South Shore Hospital, Active Data Solutions - 2010
Computer files containing personal, health and financial information of volunteers, patients, vendors, business partners and employees from January 1996 through January 2010 may have been lost by a professional data management company. Depending on the person's association with the hospital, the information exposed could be full name, address, phone number, date of birth, Social Security number, driver's license number, medical record number, patient number, bank account information, credit card number, diagnoses and treatment.UPDATE (9/10/10): Archive Data Solutions (formerly Iron Mountain Data Products) was revealed to be the company responsible for disposing of South Shore Hospital's records. Archive Data Solutions subcontracted the process to Graham Magnetics, who then lost the tapes in shipping. The tapes may have also had patient information from Harbor Medical Associates and patient and vendor information from South Shore Physician Hospital Organization.After investigating the incident the hospital decided not to mail notices or offer credit monitoring and identity theft services to those who may have been affected by the loss. It was determined that the risk of the data being accessed was extremely low and that notifications inside the hospital, on websites, via email and in newspapers would be enough. In addition, the Attorney General's office of Massachusetts has spoken out against the hospital's decision to skip precautions.UPDATE (5/24/2012): South Shore Hospital will pay $750,000 to settle HIPAA violation and state law charges. The breach involved the loss of two of three boxes containing 473 unencrypted back-up computer tapes with sensitive information sometime between February 2010 and June of 2010. A total of $250,000 in civil penalty fines and a payment of $225,000 for an education fund to be used by the Attorney General's Office to promote education concerning the protection of personal information and protected health information was determined. South Shore Hospital was given a credit of $275,000 to reflect the cost of security measures it had already taken subsequent to the breach.