Welcome back to the grind now that the long weekend’s over.
While you were busy preparing for a long weekend, both the Attorney General of Massachusetts and South Shore Hospital were releasing news about a health data breach settlement costing the latter $750,000 in penalties. According to the hospital, “the file loss occurred two years ago in 2010, was widely publicized at the time, and has not resulted in any reported incidents of the data having been accessed or used by anyone.” However, when it comes to health data breaches, there’s no such thing as a no harm, no foul policy.
So where did it all go wrong? In February 2010, the hospital contracted Archive Data Solutions to erase offsite three boxes of 473 unencrypted backup computer tapes containing protected health information (PHI) and personal information of 800,000 individuals, including names, Social Security numbers, medical diagnoses, and financial account numbers. The first problem? At no point did South Shore Hospital inform the contractor that the data comprising these tapes were sensitive. The second? Only one of the three boxes ever made it to Archive Data Solutions in Texas.
Which is more heinous: Not having a proper Business Associate Agreement, or being unable to make sure that these boxes ended up at the proper location? Assistant General Martha Coakley cited the lack of safeguards in place at Archive Data Solutions as one of many failures to protect private information, but it wasn’t the contractor’s job to disclose, let alone identify, the contents of the tapes (although a betting man would have assumed hospital data is for the most part sensitive and therefore high risk). After an investigation, the hospital has concluded that the lost tapes ended up in a “secure commercial landfill and were therefore unrecoverable.”
The health data breach led to a lawsuit filed both under the local Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of the state’s review of the file loss, the hospital is forced to pay a $750,000 settlement. However, the true total is $475,000, which is the balance due based on the hospital’s pre-existing investment of $275,000 in technology, particularly data-handling upgrades. The remaining balance will go to enforcement payments ($250,000) and a data-security education fund ($225,000).
Still alarming about the episode, though, are the vastly different pictures the hospital and Attorney General have painted in their public releases. The hospital’s press release says very little about its negligence in educating staff about the proper methods for handling sensitive patient information. Conversely, Coakley’s comments put the majority of blame squarely on the hospital’s shoulders for not having policies and safeguards in place and communicating them to its staff and business partners.
In fact, the hospital public comments resemble an apologia of the hospital’s efforts to respond to the health data breach. What it admits is a failure of “a professional data management company” to prevent files from being lost. Doing what you’re supposed to do doesn’t earn you a pat on the back. It’s going above and beyond to ensure that incidents like this don’t happen that earns you praise and high marks.
• EHR and health IT highlights (May 21 to May 25)
• Potential health data breach at Boston Children’s Hospital
• Stephen Fletcher is fired for health data breach in Utah
• Reforming defensive medicine through DA&O and HIT
• Stiffer encryption means better protection for PHI or EHR