The consent agreement also credits the hospital $275,000 “to reflect security measures it has taken subsequent to the breach,” the Coakley statement said.
The lawsuit that led to the settlement was filed under the Massachusetts Consumer Protection Act and the privacy and security provisions of the federal Health Insurance Portability and Accountability Act.
Amendments to HIPAA under the American Recovery and Reinvestment Act of 2009 extended enforcement authority for HIPAA privacy and security violations to state attorneys general.
According to Coakley's statement, in February 2010, the hospital shipped three boxes containing 473 unencrypted backup computer tapes with individually identifiable personal and HIPAA-protected health information to a contractor, Archive Data Solutions, “to erase the backup tapes and resell them.”
“The hospital did not inform Archive Data, however, that personal information and protected health information was on the backup computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information,” the Coakley statement said. “Multiple companies handled the shipping of the boxes containing the tapes,” it said. “In June 2010, the hospital learned that only one of the boxes arrived at its destination in Texas.”
The missing tapes were never recovered, according to the South Shore statement, but “there remains no evidence that any information on the files has ever been accessed or used by anyone.”
Based on its investigation in 2010, “all available evidence indicated that the backup computer files were most likely disposed of in a secure commercial landfill and were therefore unrecoverable,” the hospital statement said.
“The state's review has been comprehensive and thorough,” said Richard Aubut, South Shore president and CEO, in the statement (PDF). “We appreciate that the attorney general has recognized the steps we've taken to enhance our data-security systems and hope to be able to serve as a source of information about best practices for other healthcare providers.”