Numerous sources are reporting that South Shore Hospital, based in Weymouth, MA, has settled a lawsuit brought by the Massachusetts Attorney General. The settlement is being quoted as $750,000 but this figure is not quite correct: $275,000 of the total figure is a credit for security measures South Shore has already taken.
The breach has mobilized South Shore to do something that they have done a long time ago: use data encryption like AlertBoot to secure all of their sensitive data. I guess paying nearly $500,000 in fines will prompt you to do that.
A Little History
In the summer of 2010, South Shore Hospital went public with the knowledge that they had suffered a data breach. While details were not as forthcoming then, we can now summarize the events as follows. Previous posts on the South Shore breach can be found here, here, and here.
South Shore contracted Archive Data Solutions to erase and sell 473 backup tapes. The hospital failed to mention what was in those tapes; had the nature of the data been brought up, it could possibly have prompted the contractor to ask the contents to be encrypted, although this is merely speculation on my part.
Archive Data Solutions in turn subcontracted the work to a firm in Texas. However, the subcontractor never received the full shipment — only one box out of three was received. The courier company that was charged with delivering the boxes suggests that the missing two boxes of tapes were buried in a landfill, as per the courier’s disposal policies.
The hospital’s inability to obtain certificates of destruction eventually led to Archive Data Solutions to admit to the breach.
The information on the tapes affected patients, as well as employees, physicians, volunteers, donors, vendors, and other business partners affected. A total of 800,000 people were affected.
“Little to No Risk that Information…Could be Acquired”
These are the words that South Shore used when filing the breach with the Massachusetts AG. In light of the settlement, it’s a fun little bag of mixed messages. After all, the hospital did just agree to settle a lawsuit for $750,000 — not chump change.
The $750K breaks down as a $250,000 civil penalty, plus $225,000 destined to a fund for promoting education in the protection of personal information and protected health information, and a consent agreement that credits $275,000 for security measures South Shore has taken since the breach.
You might asking, what security measures? Well, for one:
Since the breach, “we’ve actually put in a great deal of new measures to protect personal information,” said hospital spokeswoman Sarah Darcy. “Everything — everything — is encrypted now.”[boston.com]
It sad how people prioritize things: had South Shore put in the effort to encrypt everything, EVERYTHING from the beginning, it wouldn’t be suffering the effects of the data breach now.
Related Articles and Sites: