Massachusetts Hospital Loses Track of 800,000 Patient Files

Doesn't think anyone can access Them

Advertisement

Massachusetts South Shore Hospital announced that back-up computer files containing personal information on some 800,000 people may have been lost when they were sent to a contractor to be destroyed, the Boston Globe reports.

A South Shore Hospital news release about the problem states that:

"The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files."

The news release goes on to state that included among those who information is unaccounted for, "are patients who received medical services at South Shore Hospital - as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital - between January 1, 1996 and January 6, 2010."

South Shore Hospital's president and chief executive officer said he was deeply sorry for the files being lost, and that, "Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting."

Individuals suspected of having their information on the lost computer files will be sent a letter about the problem.

The South Shore Hospital news release also states that the "... back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed."

The Globe story notes that Massachusetts law requires companies to notify the state attorney general's office when they know or suspect personal information has been lost or stolen. Since February 2008, when the law took affect, there have been 1,370 reported incidents, or about 1 incident a day on average. Earlier this year, the Globe estimated 1 in 6 residents of Massachusetts have had their personal information potentially compromised. This latest breach will no doubt push that ratio up.  

The Computing Technology Newsletter

Biweekly newsletter about advances in hardware, software and systems.

About the Risk Factor blog

IEEE Spectrum’s risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.