Data breach costs South Shore Hospital $750,000 fine

Data breach costs South Shore Hospital $750,000 fine

Weymouth —
After a breach in patient and employee files that occurred two years ago resulted in a $750,000 fine, South Shore Hospital officials say the medical facility has taken additional steps to protect sensitive information.

“Even though the circumstances were unfortunate, the hospital takes full responsibility for the protection of personal health information and the personal information of employees,” hospital spokeswoman Sarah Darcy said May 25. “We will be the model for protecting personal health care information.”

The hospital agreed to pay a $750,000 fine May 24 under a consent judgment in Suffolk Superior Court that it failed to protect the personal and confidential information of more than 800,000 consumers, although Attorney General Martha Coakley stated that no one with criminal intent has taken advantage of the information.

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” Coakley stated. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

The consent judgment settles a lawsuit Coakley’s office filed under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act.

“The state’s review has been comprehensive and thorough,” stated hospital chief executive officer Richard H. Aubut. “We appreciate the attorney general has recognized the steps we’ve taken to enhance our data-security systems and hope to be able to serve as a source of information about best practices for other health care providers.

Darcy said the consent judgment credits South Shore with spending $275,000 that reflects the updated security measures it has taken since the data breach occurred. The balance of the penalty requires the hospital to pay a $250,000 regulatory enforcement payment and a $225,000 contribution to a data security education fund.

“We have had every employee go through additional training on how to handle sensitive information,” she said. “We had gone through training before, but this is an enhancement to that training.”
Darcy said the hospital has spent $1 million on upgrading its security systems for protecting electronic medical and employee records since two boxes of backup files were discovered missing in June 2010.
“The missing boxes have not been recovered, although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date,” Coakley stated.

Darcy said the files were backup records and the original copies remain intact.
“Since the file loss, we went into action and put new security measures in place,” Darcy said.
According to Darcy, the new measures include destroying sensitive information in a hospital facility instead of shipping the files out to a vendor.
“It’s all destroyed on-site and under strict supervision,” she said. “We’ve also applied the most advanced data security protection to our wireless networks and our servers which hold sensitive information.”
More information in this report is available in the May 30 edition of the Weymouth News.

Read more: Data breach costs South Shore Hospital $750,000 fine – Weymouth, Massachusetts – Weymouth News

Connecticut Shredding
New Jersey Shredding
New York Shredding