South Shore Hospital today reported that back-up computer files containing personal, health and financial information may have been lost by a professional data management company. The hospital had engaged the company to destroy the files because they were in a format the hospital no longer uses. The hospital has no evidence that information on the back-up computer files has been accessed by anyone. An independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files.
Based upon South Shore Hospital’s investigation so far, the back-up computer files could contain personally identifiable information for approximately 800,000 individuals. Included among those individuals are patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital – between January 1, 1996 and January 6, 2010. The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files.
South Shore Hospital’s back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.
South Shore Hospital immediately launched an investigation when it learned that its back-up computer files may have been lost. The investigation has included working with the data management company and shippers to search for the missing back-up computer files, taking steps to verify the scope and types of information contained in the back up computer files, and assessing the possibility that someone could access that information. South Shore Hospital has advised the MA Attorney General’s office, the MA Department of Public Health, and the US Department of Health and Human Services about this matter. The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing.
“I am deeply sorry that these files may have been lost,” said Richard H. Aubut, South Shore Hospital president and chief executive officer. “Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting. I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information.”
South Shore Hospital is working to verify whose information may have been on the missing back-up computer files. Formal notification letters will be sent to them in the next several weeks. In the meantime, a sample individual notification letter has been posted. While there is no evidence that information on the back-up computer files has been improperly accessed, individuals may take steps to protect themselves, such as obtaining a free credit report, which can be done by visiting www.annualcreditreport.com or calling (877) 322-8228 toll free, or placing a fraud alert on their credit report with one of the three major credit reporting agencies (Equifax, Experian and TransUnionCorp).
Information about this matter is posted to South Shore Hospital’s website at www.southshorehospital.org and is available through a special automated toll-free Information Line at (877) 309-0176.
South Shore Hospital Breach Could Affect 800,000
Category: Health Data
NOTE: One concerned reader has submitted several comments/inquiries asking me to tell her if she is one of those affected. I am not posting her comments as it would reveal her personal information. To that individual, however:
Anne: as a blogger, I have no way of knowing who is affected by this breach, particularly since it seems that the hospital is still trying to determine who was affected.
If you want to be cautious, you might want to place a security freeze on your accounts. Fraud alerts are not as effective. They give you instructions for how to place on a security freeze in the sample notification letter at http://www.southshorehospital.org/news/credit_information/sample_notification_letter.htm.
And keep checking your mail to see if you receive a notification letter over the next month.