Fines Levied in Health IT Data Breach

A Boston-area hospital will pay $750,000 in civil penalties and related costs related to a 2010 data breach that compromised the personal and medical information of 800,000 patients, the Massachusetts Attorney General’s Office announced late last week.

South Shore Hospital of South Weymouth, Mass., agreed to pay a $250,000 fine, along with $225,000 to create an Attorney General’s Office-managed fund to educate the public on protecting digital health and personal information. South Shore also was credited for $275,000 in additional security measures it took following the breach, according to a news release from the Attorney General’s Office.

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” Attorney General Martha Coakley said following the May 24 settlement. “It is their responsibility to understand and comply with the laws of our commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

Coakley’s office says South Shore violated both state and federal law when it shipped three boxes containing 473 unencrypted backup computer tapes offsite to be erased. The company selected to erase the tapes did not know they contained protected health information, the AG’s Office says.

Several companies handled the boxes, and only one of the three arrived at its destination. The other two were never recovered, according to the news release, but there is no indication that any of the information on those tapes has been used by thieves.

Coakley’s office alleged that the hospital failed to implement appropriate safeguards, policies and procedures to protect consumers’ information, failed to have a proper agreement in place with the company handling the boxes of tapes, and failed to properly train employees on health data privacy.

Under the consent judgment, South Shore Hospital also agreed to a security audit, with results and corrective actions to be reported to the attorney general.