US Hospital Loses 800,000 Patient Records

InnovationRegulation

South Shore Hospital in Massachusetts reveals that backup files containing patient and employee information have disappeared

A Massachusetts hospital is under scrutiny after hundreds of thousands of patient and employee records went missing earlier this year.

The missing files underscore the problems health care providers face when balancing patient privacy and the need to store massive amounts of data, especially as new federal rules for electronic health records come into play.

South Shore Hospital in South Weymouth, Mass., reported on 19 July that it’s investigating the potential loss of 800,000 backup files containing personal, health and financial information of patients, physicians and other individuals connected with the medical facility.

Sent To Be Destroyed

The files were sent to a data-management company to be destroyed on 26 Feb., but the hospital was informed on 17 June that only a portion of the backup records had been received and destroyed. It’s unknown when during the four-month period that the files disappeared.

“We engaged a professional data-management company to arrange for the destruction and shipping and it was within this shipping process that these files were lost,” Sarah Darcy, spokesperson for South Shore Hospital, told eWEEK. “It was not something that happened on our campus.”

South Shore provides acute, outpatient, home health and hospice care and is the largest independently operated hospital in Eastern Massachusetts.

The files may contain information from patients, employees, physicians, volunteers, donors, vendors and other business partners who were affiliated with the hospital between 1 Jan., 1996, and 6 Jan, 2010.

South Shore said it arranged for the files to be destroyed because they were in a file format it no longer uses. According to the hospital, the files may contain personal information such as Social Security numbers, driver’s license numbers, data on diagnoses and treatment, and bank account and credit-card information.

The hospital has been in contact with the Massachusetts’ Attorney General’s office and Department of Public Health as well as the U.S. Department of Health and Human Services on this matter, but wouldn’t disclose the name of the data-management company or what type of storage device was involved.

The hospital will notify affected individuals in the coming weeks. In the meantime, the hospital is directing people who may be affected to notify credit agencies of possible theft.

Ongoing Investigation

Darcy declined to get into specifics due to the ongoing investigation but expressed regret for the incident and said the hospital will make sure the problem doesn’t reoccur.

“We’ve apologised and want to apologise as much possible because in the end we take responsibility for it,” said Darcy. “We are reviewing the policies and procedures, and the outcome of that review will certainly prevent this from ever happening again. What exactly the steps that will be taken post-review, I can’t say yet because the review is still under way.”

Darcy insisted that it’s unlikely the missing data has been accessed. “There is no evidence from our investigation or from anything that has been reported to the Massachusetts general’s office that any of this information has been accessed — no evidence whatsoever,” said Darcy. “It would take special equipment, special software and special knowledge and technical skills to access any of the information on the files, let alone decipher it.”

As hospitals move forward with plans for electronic medical records in response to the new meaningful-use guidelines from the U.S. Department of Health and Human Services, data security and privacy will remain a concern. “We thought we were doing the right thing as far as being stewards of sensitive information,” Darcy said.

Nevertheless, when data goes missing, communication with those affected will be essential. “We are dedicated to being transparent, and this is about informing the community,” the spokesperson said.

Read also :