Posted on: September 8, 2010
Call our automated toll-free information line at
(888) 533-3000.
 |
 |
 |
SOUTH SHORE HOSPITAL REPORTS FINDINGS FROM
INVESTIGATION INTO MISSING BACK-UP COMPUTER FILES
September 8, 2010 – South Shore Hospital today announced that it has completed its investigation into the loss of its back-up computer files. All available evidence indicates that the files are unrecoverable and that there is little to no risk that information on the files has been or could be acquired, accessed or misused. South Shore Hospital has reported the findings of its investigation to the Massachusetts Attorney General’s Office and to the US Department of Health and Human Services.
South Shore Hospital publicly reported on July 19, 2010 that back-up computer files containing personal, health and financial information may have been lost. On February 26, 2010, South Shore Hospital engaged Iron Mountain Data Products (now called Archive Data Solutions) to destroy back-up computer files that were stored on computer tapes that were in a format the hospital no longer used. Iron Mountain Data Products subcontracted the work without South Shore Hospital’s prior knowledge to Graham Magnetics, which arranged for three boxes of the computer tapes to be shipped to its Texas facility for destruction. When certificates of destruction were not provided to the hospital in a timely manner, South Shore Hospital repeatedly asked Iron Mountain Data Products for an explanation. The hospital was informed on June 17, 2010, that Graham Magnetics had received and destroyed the contents of one of the three boxes of computer tapes, but had not received the other two boxes.
South Shore Hospital, along with other involved parties, immediately launched a search for the two missing boxes. The search included hiring an outside private investigative team to interview individuals with knowledge about the shipment. The hospital also engaged computer forensic experts from Huron Consulting Group to assess whether information on the missing back-up computer files could be acquired, accessed, used, or disclosed in an unauthorized manner that could pose a significant risk of financial, reputational or other harm to an individual. Huron Consulting also assessed whether there is knowledge or reason to know that personal information that may have been on the files was acquired or used by an unauthorized person or for an unauthorized purpose.
South Shore Hospital has concluded that there is little to no risk that information on the files has been or could be acquired, accessed or misused based on the following key investigation findings:
- The back-up computer files were stored on unmarked computer tapes that were packed in three sealed boxes. The boxes were wrapped together on a shipping pallet and had no indication on the outside or inside that they contained confidential information.
- South Shore Hospital, the private investigation team, and Ohio-based R+L Carriers – the company that transported the files for offsite destruction – conducted multi-state searches for the two missing boxes. All available evidence indicates that the three boxes of computer tapes were likely separated from each other during transport. Once separated, two of the three boxes were unidentifiable because they were unmarked and appeared to be of no value. As a result, those two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that R+L Carriers uses to dispose of unclaimed materials and are therefore unrecoverable.
- Even if the computer tapes were found, Huron’s experts have concluded that specialized equipment, proprietary software, sophisticated knowledge, time and financial resources would be required to access, aggregate, interpret and ultimately use information on the files. View an executive summary of Huron’s report.
· There remains no evidence that any information on the missing back-up computer files has ever been acquired, accessed, or used by anyone.
To determine what information may have been on the back-up computer files, South Shore Hospital worked under the assumption that the files could have contained everything on the hospital’s computer system during the file back-up period of January 1, 1996 to January 6, 2010. As originally reported on July 19, 2010, the back-up computer files could have contained personal, health and financial information for approximately 800,000 individuals, including patients, employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital. The hospital’s original files remain protected and intact.
Also included among the 800,000 individuals may have been certain patients of Harbor Medical Associates, PC and certain patients and vendors associated with the South Shore Physician Hospital Organization (PHO), some of whom never have been South Shore Hospital patients.
Harbor Medical Associates, PC, is an independent medical practice with multiple offices on the South Shore. Harbor Medical has agreements with South Shore Hospital to maintain certain patients’ personally identifiable and health information related to specific laboratory tests performed between October 5, 2009 and January 6, 2010 and imaging studies performed between February 15, 2006 and January 6, 2010. In addition, Harbor Medical shares certain patient information with South Shore Hospital to better coordinate patient care. This information may include personally identifiable information for Harbor Medical patients during the period July 1, 2004 and January 6, 2010. Credit card and other personal financial information related to Harbor Medical patients are not stored on South Shore Hospital’s computer systems.
South Shore Physician Hospital Organization is an integrated delivery system comprising South Shore Hospital and a network of over 400 physicians serving the South Shore. South Shore PHO works with South Shore Hospital to maintain information required to manage certain health plan contracts for its member providers. The back-up computer files may have contained personally identifiable and/or health information relating to patients whose care was provided by South Shore PHO member providers under certain South Shore PHO health plan contracts between January 1, 1999 and January 6, 2010. The back-up computer files also may have included personally identifiable information for vendors with whom South Shore PHO has done business from January 1, 2001 to January 6, 2010. Credit card and other personal financial information related to South Shore PHO member providers’ patients are not stored on South Shore Hospital’s computer systems.
South Shore Hospital initially notified the public about this matter while its investigation was still underway. At that time, the hospital anticipated sending individual written notices to those whose information may have been on the back-up computer files. In light of the investigation findings, South Shore Hospital, Harbor Medical Associates and South Shore Physician Hospital Organization do not plan to send out individual notices and are instead publishing notices, consistent with Massachusetts General Law Chapter 93H, to inform the community about steps that always are available to protect information. These notices will be published in the state’s largest-circulation newspapers, posted to each organization’s websites, and exhibited at the hospital and in physician offices.
“The investigation into this matter has been extremely thorough and has involved numerous qualified independent experts. Based on what we’ve learned, I am confident that there is little to no risk that information on the files has been or could be accessed,” said Richard H. Aubut, South Shore Hospital president and chief executive officer. “Nevertheless, I remain deeply sorry about this situation and any concern it may have caused.”
Anyone with questions may:
-
Call South Shore Hospital’s automated toll-free information line at (888) 533-3000.
-
Visit Harbor Medical Associates, PC website at www.harbormedical.com
-
Visit South Shore Physician Hospital Organization’s website at www.sspho.org.
South Shore Hospital, Harbor Medical Associates and South Shore Physician Hospital Organization provide the following information, consistent with Massachusetts General Law Chapter 93H:
- Some state laws, including those in Massachusetts, allow you to place a security freeze on your credit reports. This would prohibit a credit reporting agency from releasing any information from your credit report without your written permission. You should be aware, however, that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing or other services.
If you believe that you have been a victim of identity theft and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze on your credit reports. In all other cases, a credit reporting agency may charge you up to $5.00 each time you place, temporarily lift, or permanently remove a security freeze. More detailed instructions on how to place or lift a security freeze on your credit card are attached at the end of this letter and are available on the Steps to Protect Your Information section of this website.
To place a security freeze on your credit report, you must send a written request to each of the three credit reporting agencies noted below, which must include the following information: (1) Full name (including middle initial as well as Jr., Sr., II, III, etc.); (2) Social Security Number; (3) Date of birth; (4) Addresses for the prior five years; (5) Proof of current address; (6) A legible copy of a government issued identification card; (7) A copy of any relevant police report, investigative report, or complaint to a law enforcement agency concerning identity theft and (8) If you are not a victim of identity theft, include payment by check, money order, or credit card (Visa, MasterCard, American Express or Discover only). Do not send cash though the mail.
Mail by regular, certified or overnight mail to the addresses below:
Equifax
|
Experian
|
TransUnionCorp
|
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. They must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to permit the removal or lifting of the security freeze.
To lift a security freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and social security number) and the PIN number or password originally provided to you when you placed the security freeze. You also will need to provide the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report to be available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the period of time you have specified.
To remove a security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
- You may also place a fraud alert on your credit report. This can help prevent someone from opening additional accounts in your name or changing your existing accounts. You can call any one of the three major credit reporting agencies listed above. As soon as one agency confirms your fraud alert, the others will be notified automatically of the alert.
- You may also order a copy of your credit report from the agencies listed above. You are entitled to receive a free credit report annually from each of these three credit agencies.
- In addition, if you believe that you have been the victim of identity theft, you have the right to file a police report and obtain a copy of it. Many creditors will want the information from the police report before excusing you from paying for any fraudulent charges or debts.
- Under some state laws, including those in Massachusetts, you have the right to obtain a copy of any police report made in connection with this matter. Please note that to date South Shore Hospital has not filed any police reports in connection with this matter.
- You can also file a complaint with the Federal Trade Commission at www.ftc.gov/idtheft or at (877) ID-THEFT (877-438-4338).
- If you believe someone else may have used your medical information, you may wish to consider taking additional steps which are outlined on the Federal Trade Commission’s website at www.ftc.gov.
Consumer protection information also is available by visiting the Massachusetts Attorney General’s website at www.mass.gov/ago.
# # #
