Answers to Your Questions
ANSWERS TO QUESTIONS REGARDING
STATE REVIEW OF SOUTH SHORE HOSPITAL
2010 FILE LOSS
Here are answers to questions regarding the Commonwealth of Massachusetts Attorney General’s Office review of South Shore Hospital’s reported loss of back-up computer files in 2010.
1. What happened?
South Shore Hospital publicly reported on July 19, 2010 that back-up computer files containing personal, health and financial information may have been lost. On February 26, 2010, South Shore Hospital engaged Iron Mountain Data Products (now called Archive Data Solutions) to destroy the files, which were stored on computer tapes that were in a format no longer used. Iron Mountain Data Products subcontracted the work without South Shore Hospital’s prior knowledge to Graham Magnetics, which arranged for three boxes of the computer tapes to be shipped to its Texas facility for destruction. When certificates of destruction were not provided to the hospital in a timely manner, South Shore Hospital repeatedly asked Iron Mountain Data Products for an explanation. The hospital was informed on June 17, 2010, that Graham Magnetics had received and destroyed the contents of one of the three boxes of computer tapes, but had not received the other two boxes. It is important to note that these were back-up computer files. The original files remain protected and intact.
2. Has South Shore Hospital reported a new data loss?
No. Recent announcements and news reports are related to the Massachusetts Attorney General’s Office’s actions regarding the loss of South Shore Hospital’s back-up computer files that occurred in 2010.
3. I have been associated with South Shore Hospital as a patient, current/former employee, volunteer, physician, donor, or business associate. Is my information at risk?
In the two years since the back-up computer files were reported as missing, there remains no evidence that any information on the files has ever been accessed or used by anyone. An investigation into the matter indicates that the files most likely were disposed of in a secure commercial landfill and are unrecoverable.
4. What did South Shore Hospital do when it learned that the back-up computer files were missing?
South Shore Hospital immediately launched a search for the two missing boxes. Key findings of South Shore Hospital’s investigation, which involved qualified outside experts, included:
- The back-up computer files were stored on unmarked computer tapes that were packed in three sealed boxes. The boxes were wrapped together on a shipping pallet and had no indication on the outside or inside that they contained confidential information.
- South Shore Hospital, a private investigation team, and Ohio-based R+L Carriers – the company that transported the files for offsite destruction – conducted multi-state searches for the two missing boxes. All available evidence indicates that the three boxes of computer tapes were likely separated from each other during transport. Once separated, two of the three boxes were unidentifiable because they were unmarked and appeared to be of no value. As a result, those two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable.
- Even if the computer tapes were found, experts from Huron Consulting Group have concluded that specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required to access, aggregate, interpret and ultimately use information on the files.
5. What steps did South Shore Hospital take to notify the public about the loss of back-up computer files in 2010?
South Shore Hospital twice notified the public about the loss of back-up computer files and reported steps that always are available to protect personal information. The first notification was on July 19, 2010, soon after we became aware of the loss of the files; the second was on September 8, 2010, when we completed our internal investigation and risk assessment. Both announcements generated extensive publicity. Additionally, in September 2010 we published paid notices in the state’s largest-circulation newspapers, as is consistent with Massachusetts General Law Chapter 93H. South Shore Hospital also posted information for more than a year on its website, exhibited signs throughout the hospital and in various physician offices, and maintained a toll-free automated phone line to answer questions.
6. What is a Business Associate Agreement? Did South Shore Hospital have one with the company it hired to destroy the data on its back-up computer tapes?
A Business Associate Agreement is a contract between organizations who have access to protected health information (PHI). The agreement sets forth requirements that a Business Associate must follow regarding the confidentiality, security, use and disclosure of PHI.
South Shore Hospital contacted Iron Mountain to destroy the data on the back-up computer tapes. Through Iron Mountain, the hospital engaged Iron Mountain Data Products (now known as Archive Data Solutions). Based on the hospital’s long-standing relationship with Iron Mountain, we believed we were operating under an existing Business Associate Agreement with Iron Mountain covering confidential information. As a result, we believed that Iron Mountain Data Products (the entity we engaged to destroy the data) would adhere to the “gold standard” data-destruction policies and procedures advertised by Iron Mountain.
7. Why didn’t South Shore Hospital notify Iron Mountain Data Products that the material being destroyed contained personal information (PI) and protected health information (PHI)?
We believed that we had engaged an Iron Mountain entity for the project, and because Iron Mountain regularly handles personal information and protected health information for our hospital, we believed the firm was aware of the nature of the materials.
8. At the time of the file loss, did South Shore Hospital have policies in place to protect patient data?
Yes. South Shore Hospital had in place policies, staff training and implementation procedures designed to protect patient data at the time of the file loss. We always have been committed to data security and to improving our policies and procedures to address the changing environment in which we operate.
9. What steps have you taken since 2010 to minimize the risk of a loss of data in the future?
Since 2010, South Shore Hospital has invested more than $1 million in upgraded hardware, software and staff training to enhance electronic data management and security, including:
- Improving methods for the destruction of electronic files containing PI/PHI;
- Establishing more stringent protocols for those vendors with whom we electronically exchange and/or store PI/PHI;
- Further safeguarding PI/PHI on portable, removable, and remotely-accessible electronic media;
- Adding a second Data Center to maintain the integrity and availability of PI/PHI in the event that our primary Data Center experiences a sustained power interruption and/or system failure;
- Upgrading our physical and wireless networks to apply various industry-leading data security and protection safeguards; and
- Augmenting employee training programs.
10. Were South Shore Hospital’s staff members sufficiently trained in data management and destruction policies at the time of the file loss? Have staff been better trained?
Prior to this situation, South Shore Hospital trained its colleagues on data security and privacy issues at the time of hire and at least annually thereafter. Since then, our hospital has trained all colleagues on the updated policies and procedures and now requires participation in routine trainings, as our data management policies continue to evolve.
11. Can you tell me if my information is on the back-up computer files?
It is impossible to know exactly what information about which individuals may have been on the back-up computer files. South Shore Hospital does not back up (copy) information from its original computer files in alphabetical, sequential or chronological order.
Therefore, to determine what information may have been on the back-up computer files, South Shore Hospital has worked under the assumption that the files could have contained everything on our hospital’s computer system during the file back-up period of January 1, 1996 to January 6, 2010.
If you were a patient, employee, physician, volunteer, donor, vendor, or other business partner associated with South Shore Hospital between January 1, 1996 and January 6, 2010, your personal information may have been on the back-up computer files. The information may have included individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a small subset of individuals also may have been on the back-up computer files.
12. My personal information has recently been compromised. How do I know that it was not a result of the lost back-up computer files?
We are not aware of any evidence that information on the back-up tapes has ever been accessed or used by anyone. The hospital’s original files remain protected and intact.
For information about steps that always are available to protect information, please click here.