South Shore Hospital in South Weymouth, Mass., has agreed to a $750,000 settlement for a 2010 data breach involving lost backup files containing personal idenifying information such as names and social security numbers, as well as health records, for 800,000 individuals.
The hospital informed the Massachusetts attorney general's office of a breach in July 2010 and the state filed a lawsuit on May 21, 2012. The grounds for the lawsuit were "unfair or deceptive conduct" in violation of the Massachusetts Consumer Protection Act and failure to safeguard patient information under the federal Health Insurance Portability and Accountability Act (HIPAA).
HIPAA violations included a lack of policies and procedures to protect consumer data, failure to establish a business associate agreement with its data-management company Archive Data and inadequate training of the hospital's workforce with respect to health data privacy, according to the Massachusetts attorney general's office.
A judge awarded a consent judgment, or settlement, on May 24, and the state's attorney general, Martha Coakley, announced the agreement that day.
Data Security Protocols to Protect Patient Information
The hospital must adopt data-security protocols as part of the agreement. These include undergoing a review of security measures and reporting improvements in data security to the attorney general. The hospital has agreed to abide by regulations regarding contracts with business associates and third parties involved in discarding data.
The hospital did not inform Archive Data that the tapes stored health information, according to the Massachusetts attorney general's office.
South Shore Hospital also hadn't determined if Archive Data had taken the necessary steps to protect sensitive information, according to the attorney general.