Joseph Goedert has an interesting article on Health Data Management about the South Shore Hospital breach, focusing on whether South Shore Hospital is required, under HITECH, to notify individuals by postal mail or if they can use the “substitute notice” provisions under Massachusetts law. Goedert writes, in part:
According to a new statement on the hospital’s Web site, the investigation found that the lost computer tapes “are believed” to have been disposed of in a secure commercial landfill that a contractor uses to dispose of unclaimed materials “and are therefore unrecoverable.” The hospital in the statement also says “there remains no evidence that any information on the missing back-up computer files has ever been acquired, accessed, or used by anyone.”
Still, the hospital believes but cannot prove the data is in a secure landfill. It cannot prove the data is unusable because of certain measures taken. Officials of the Office for Civil Rights in the U.S. Department of Health and Human Services were not immediately available to discuss whether the hospital must under the federal breach law notify individuals.
Yesterday, Massachusetts Attorney General Martha Coakley issued a press release that said, in part:
The Attorney General’s Office has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss. The Attorney General’s Office will continue to monitor and investigate South Shore Hospital’s actions with regards to the data breach and its response.
Since South Shore Hospital made its announcement on July 19, 2010, and advised the Attorney General’s Office that certain patients of Harbor Medical Associates, PC as well as vendors associated with South Shore Physician Hospital Organization and patients receiving care from its member physicians may have been included among the 800,000 individuals affected by the data loss. Harbor Medical Associates, PC and Shore Physician Hospital Organizations have likewise informed the Office of the Attorney that they do not plan to send out individual notices but will join South Shore Hospital in publishing notices in newspapers, on their respective websites and providing email notification where appropriate.
The AG does not appear to be accepting South Shore’s belief that the information is unrecoverable and in a landfill as established fact (good for her!) and tells people to assume that their information has been affected:
Attorney General Martha Coakley’s Office advises that the following individuals should assume that their personal information and/or protected health information has been affected by the breach ….
Definitely an “atta gal” for the AG. The safe harbor they argue has some valid points, however, given the tenacity of identity thieves, anything could happen. What is an insider told someone about the boxes and that’s why they disappeared? It has happened in the last two years. I’m concerned that more companiess are using newspapers and internal websites as the only notification. In the case of South Shore, the hugh number does justify public notification rather than individual. The sheep that are starting to follow, using safe harbor as an excuse and South Shore as “a leader” does concern me.