Health Care IT
By: Brian T. Horowitz
2010-07-21

South Shore Hos­pi­tal in Mass­a­chu­setts reveals that backup files con­tain­ing patient and employee infor­ma­tion have dis­ap­peared. An inves­ti­ga­tion to deter­mine what hap­pened to the data is under way.

A Mass­a­chu­setts hos­pi­tal is under scrutiny after hun­dreds of thou­sands of patient and employee records went miss­ing ear­lier this year. The miss­ing files under­score the prob­lems health care providers face when bal­anc­ing patient pri­vacy and the need to store mas­sive amounts of data, espe­cially as new fed­eral rules for elec­tronic health records come into play.

South Shore Hos­pi­tal in South Wey­mouth, Mass., reported July 19 that it’s inves­ti­gat­ing the poten­tial loss of 800,000 backup files con­tain­ing per­sonal, health and finan­cial infor­ma­tion of patients, physi­cians and other indi­vid­u­als con­nected with the med­ical facility.

The files were sent to a data-management com­pany to be destroyed on Feb. 26, but the hos­pi­tal was informed on June 17 that only a por­tion of the backup records had been received and destroyed. It’s unknown when dur­ing the four-month period that the files disappeared.

“We engaged a pro­fes­sional data-management com­pany to arrange for the destruc­tion and ship­ping and it was within this ship­ping process that these files were lost,” Sarah Darcy, spokesper­son for South Shore Hos­pi­tal, told eWEEK. “It was not some­thing that hap­pened on our campus.”

South Shore pro­vides acute, out­pa­tient, home health and hos­pice care and is the largest inde­pen­dently oper­ated hos­pi­tal in East­ern Massachusetts.

The files may con­tain infor­ma­tion from patients, employ­ees, physi­cians, vol­un­teers, donors, ven­dors and other busi­ness part­ners who were affil­i­ated with the hos­pi­tal between Jan. 1, 1996, and Jan. 6, 2010.

South Shore said it arranged for the files to be destroyed because they were in a file for­mat it no longer uses. Accord­ing to the hos­pi­tal, the files may con­tain per­sonal infor­ma­tion such as Social Secu­rity num­bers, driver’s license num­bers, data on diag­noses and treat­ment, and bank account and credit-card information.

The hos­pi­tal has been in con­tact with the Mass­a­chu­setts’ Attor­ney General’s office and Depart­ment of Pub­lic Health as well as the U.S. Depart­ment of Health and Human Ser­vices on this mat­ter, but wouldn’t dis­close the name of the data-management com­pany or what type of stor­age device was involved.

The hos­pi­tal will notify affected indi­vid­u­als in the com­ing weeks. In the mean­time, the hos­pi­tal is direct­ing peo­ple who may be affected to notify credit agen­cies of pos­si­ble theft.

Darcy declined to get into specifics due to the ongo­ing inves­ti­ga­tion but expressed regret for the inci­dent and said the hos­pi­tal will make sure the prob­lem doesn’t reoccur.

“We’ve apol­o­gized and want to apol­o­gize as much pos­si­ble because in the end we take respon­si­bil­ity for it,” said Darcy. “We are review­ing the poli­cies and pro­ce­dures, and the out­come of that review will cer­tainly pre­vent this from ever hap­pen­ing again. What exactly the steps that will be taken post-review, I can’t say yet because the review is still under way.”

Darcy insisted that it’s unlikely the miss­ing data has been accessed.

“There is no evi­dence from our inves­ti­ga­tion or from any­thing that has been reported to the Mass­a­chu­setts general’s office that any of this infor­ma­tion has been accessed — no evi­dence what­so­ever,” said Darcy. “It would take spe­cial equip­ment, spe­cial soft­ware and spe­cial knowl­edge and tech­ni­cal skills to access any of the infor­ma­tion on the files, let alone deci­pher it.”

As hos­pi­tals move for­ward with plans for elec­tronic med­ical records in response to the new meaningful-use guide­lines from the U.S. Depart­ment of Health and Human Ser­vices, data secu­rity and pri­vacy will remain a concern.

“We thought we were doing the right thing as far as being stew­ards of sen­si­tive infor­ma­tion,” Darcy said.

Nev­er­the­less, when data goes miss­ing, com­mu­ni­ca­tion with those affected will be essen­tial. “We are ded­i­cated to being trans­par­ent, and this is about inform­ing the com­mu­nity,” the spokesper­son said.

Com­pli­ments of File­Man Research