South Shore Hospital in South Weymouth will pay $750,000 to settle charges related to a 2010 data breach that compromised the personal information of more than 800,000 people, according to a release from the Massachusetts attorney general’s office.
The settlement, approved Thursday in Suffolk Superior Court, includes a civil penalty of $250,000 and $225,000 for a fund to be used by the attorney general’s office to promote education on the protection of personal data, the release said. South Shore Hospital was also credited for $275,000 it spent on security measures following the breach.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data,” said Massachusetts Attorney General Martha Coakley. Coakley sued the hospital under state and federal laws that require secure storage of personal information collected by hospitals.
In February of 2010, the hospital contracted with a Pennsylvania company, Archive Data Solutions, to erase and re-sell 473 data tapes containing information on 800,000 individuals. None of the data was encrypted, and so it could be read by anyone with the right equipment and training.
The hospital did not inform Archive Data that the tapes contained sensitive information. The tapes were shipped to a Texas subcontractor in three boxes, but the hospital later learned that only one of the boxes arrived.
Since the breach, “we’ve actually put in a great deal of new measures to protect personal information,” said South Shore spokeswoman Sarah Darcy. “Everything—everything—is encrypted now.”
The hospital has established tougher requirements for the use of medical records on mobile devices, which could easily be lost or stolen, and employees have received additional training on the proper handling of patient data..