DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations

Posted on May 24, 2012 by Dissent

It started with an announcement in July 2010 that computer backup tapes with data on 800,000 were missing. It proceeded to confusion as to what business associates or vendors were involved and the sequence of events. But things started getting really ugly over a dispute between South Shore Hospital and the Massachusetts Attorney General’s Office, who objected to the hospital’s position that it did not have to provide individual notice. Today, the Attorney General’s Office announced that the hospital would pay $750,000 to settle charges against it under HIPAA and state laws over the data breach:

South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers, Attorney General Martha Coakley announced today. The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses.

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment approved today in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.

The lawsuit was filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.

The hospital did not inform Archive Data, however, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.

In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.

According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.

This matter is being handled by Assistant Attorneys General Shannon Choy-Seymour of the Consumer Protection Division and Lois Johnson of the Health Care Division with assistance from Civil Investigator Jake Harney.

 

No related posts.

Category: Health Data

Post navigation

← Correction to Earlier Post
Social Network Soup taken offline with DDoS Attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.