Massachusetts Breach: An UpdateBackup Files Were Lost in Transit, Vendor Reports
Unencrypted backup computer files containing personal, health and financial information on about 800,000 people apparently were lost when they were being shipped from a Massachusetts hospital to a site where they were to be destroyed.
South Shore Hospital in South Weymouth, Mass., hired Archive Data Solutions, formerly known as Iron Mountain Data Products, to destroy a number of files. The company, in turn, hired a third-party freight carrier, which picked up all the files Feb. 26 to deliver them to a site for destruction, says Jill Fallon, an Archive Data Solutions spokesman. "Part of that shipment was lost," she acknowledges, so only a portion of the files was destroyed.
The hospital, for its part, says Archive Data Solutions did not provide certificates of destruction "in a timely manner," which prompted it to inquire about the fate of the files. The company notified the hospital about the missing files June 17, but the hospital did not post a notice about the incident on its website until July 17, following an investigation. The hospital declined to provide comment beyond the information on its site.
So far, there is no evidence that the missing information has been accessed or used for fraudulent purposes, according to the hospital. The investigation is continuing.
New State RegulationTough new Massachusetts data security regulations, enforced by the state attorney general, took effect March 1. "South Shore contacted our office once they discovered the tapes had been lost," a spokesman for the attorney general confirmed. Although she would not confirm whether the office was investigating the South Shore case, she added, "We are working with them to ensure they fulfill their legal obligations."
Legal obligations under the state regulation include implementing a comprehensive security program and taking "reasonable steps" to verify that any third parties with access to personal data have the ability to protect the information. Plus, personal data must be encrypted when it's stored on portable devices or transmitted via the Internet.
In addition to notifying the attorney general, the hospital reported the incident to the Health and Human Services' Office for Civil Rights as required under the HITECH Act's breach notification rule.The hospital will send letters to individuals affected once it verifies whose information may have been included in the missing back-up files. Once the investigation is complete, the hospital will determine whether to provide free credit and identity theft monitoring to any of those affected.
The missing files included information on patients, employees, physicians, volunteers, donors, vendors and other business partners dating from Jan. 1, 1996, to Jan. 6, 2010. Information may have included certain individuals' names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, health plan information, dates of service and diagnosis and treatment information. For a "very small subset" of individuals, information also may have included bank account and credit card numbers, the hospital said in its online statement.
The files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted, the hospital said. "However, specialized software, hardware and technical knowledge and skill would be required for someone to access and decipher the information," according to the hospital's statement. South Shore has ceased the offsite destruction of back-up computer files "and is putting in place policies to ensure that a similar situation cannot occur," the hospital said.
The hospital said in an online "Answers to Your Questions" document that it waited until July 17 to post the announcement about the incident because "we had to determine exactly what had happened." "Our investigation has involved working with the data management company and shippers to search for the missing back-up computer files, to verify the scope and types of information contained in the back-up computer files, and to assess the possibility that someone could access the information. We also have been working diligently to determine how to identify the number and identity of the individuals whose information is potentially affected by this matter."