South Shore Hospital in South Weymouth, MA has agreed to pay $750,000 to settle charges related to a data breach that occurred in 2010. The Massachusetts Attorney General’s office announced the civil settlement last week.
In February 2010, the hospital sent 473 unencrypted backup tapes to an off-site data solutions facility to be erased and resold, according to the attorney general’s office. However, the hospital did not inform the contractor that Protected Health Information (PHI) was contained on the computer tapes, nor was there a business associate agreement in place with the contractor to ensure that such information was adequately protected by any and all agents to whom it was provided, including subcontractors. Four months later, the hospital discovered that only one of three boxes had arrived at its destination, and the others have not been recovered.
Patients’ names, Social Security numbers, and financial account numbers, in addition to medical diagnoses, were contained in the lost data, and while there have been no reports of unauthorized use of any of the compromised information, the attorney general’s office cited violations of both the federal Health Insurance Portability and Accountability Act (HIPAA) and the state Massachusetts Consumer Protection Act in filing the lawsuit against South Shore Hospital. The hospital has since established tougher requirements and introduced new measures for protecting personal information.
Patient data stored in medical billing software, Electronic Medical Records (EMR) systems, and even data backups must be protected against loss and misuse. Microwize Technology can help ensure your practice is covered.