In June, 2010, South Shore Hospital announced on its website that unencrypted back-up tapes containing patient information went missing and were believed to have been discarded at a dump.  Reports state that this incident involved 473 tapes which contained information about 800,000 patients, including names, social security numbers, account numbers, and medical diagnoses.

On May 24, 2012, the Massachusetts Attorney General’s Office announced that a Suffolk Superior Court approved a consent decree for $750,000 to settle a lawsuit under the Massachusetts Consumer Protection Act and federal Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit was filed by the Massachusetts AG against South Shore Hospital.  The settlement includes:

(1) a civil penalty of $250,000;

(2) a $225,000 payment for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information;

(3) a $275,000 credit for security measures taken after the incident occurred; and

(4) according to the press release issued by the Massachusetts AG, “South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.”

Massachusetts has one of the strictest data protection laws in the country and the Attorney General’s Office there has been focusing on whether organizations are taking the appropriate steps to protect consumer information.  Frequently, after a breach is reported to that office in accordance with Massachusetts law, a copy of the required Written Information Security Program (WISP) will be requested (see 201 CMR 17.00).  Moreover, as we reported here, Massachusetts law dictates that contracts with vendors who handle information concerning Massachusetts residents must require the vendor have in place appropriate safeguards to protect that information. 

Here, South Shore was accused of failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with its back-up tape vendor, and failing to properly train its workforce with respect to health data privacy.  Therefore, even if a WISP is in place, it is clear from this settlement and investigation that the focus is on actual implementation of the written policies and procedures.