South Shore Hospital in Weymouth, Massachusetts agreed this week to pay $475,000 to settle allegations connected with a 2010 data breach affecting the confidential health records of more than 800,000 patients. The hospital has already spent $275,000 on new security measures, since the breach, bringing the total cost of the breach up to $750,000.
The settlement resulted from a data breach reported to the attorney general's office in July 2010 that included individual's names, Social Security numbers, financial account numbers, and medical diagnoses, the news release said.
South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with the personal information and health information from 800,000 individuals, the release said. The tapes were being shipped to a remote location so that Archive Data Solutions could erase the tapes and resell them, according to the release. Only one of the boxes arrived to its destination in Texas, the press release said, and the missing boxes have not been recovered. There are no reports of unauthorized use of the personal information.
Approved in Suffolk Superior Court, the settlement includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the attorney general's office to promote education related to protecting personal information and health information. The total amount of the settlement was $750,000, but the settlement credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.
As a result of the settlement, South Shore Hospital will be required to take steps to ensure compliance with data security laws and regulations, as well as to undergo an audit of its security measures, the news release said.
“South Shore Hospital to pay $475K over patient data breach,” Boston Business Journal (May 9, 2012)