Healthcare News & Insights

Patient data lost on way to third-party – hospital pays $750,000

Healthcare organizations must not only make sure sensitive patient information is protected while its in their possession, but also when it leaves the premises for third-party service providers. 

South Shore Hospital in Boston has agreed to pay $750,000 to settle charges that it failed to protect the personal and medical information of more than 800,000 patients.

In July 2010, South Shore reported a data breach that compromised those patients’ names, Social Security numbers, financial information and medical diagnoses. A subsequent investigation found that the hospital had made some mistakes that put information at risk while decommissioning old IT equipment.

The hospital had contracted with a server provider to erase old back-up tapes and resell them. Three boxes containing 473 tapes were sent to the service provider — but only one actually got there. The other two have not been recovered — although, so far, no misuse of the patients’ sensitive information have been reported.

A lawsuit alleged that South Shore was responsible for failing to protect patients’ information because:

  1. The back-up tapes were not encrypted, even though they contained sensitive data
  2. The service provider was never told that the tapes contained information that had to be protected
  3. The hospital never made sure the service provider had safeguards in place to protect the data, and
  4. The shipping was handled by multiple companies, meaning the tapes were in several organizations’ possession throughout the process.

In addition to the $750,000 settlement, South Shore agreed to take a number of steps to better protect patient data, including reviewing its processes for working with third parties.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.