Missing files little threat, hospital says
Missing computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are “unrecoverable,’’ the hospital said yesterday after an investigation that also concluded there is little chance that individuals would be harmed by the data breach.
“All available evidence indicates that the files are unrecoverable and that there is little to no risk that information on the files has been or could be acquired,’’ the hospital said in a statement.
The Weymouth hospital disclosed the lost files on July 19. Back-up computer tapes from Jan. 1, 1996, through Jan. 6, 2010, were lost by a subcontractor working for a company South Shore had hired to destroy three boxes containing unmarked computer tapes. One box was destroyed but two boxes never arrived at their destination in Texas.
The computer tapes included information on patients, doctors, employees, volunteers, vendors, donors, and others who were associated with the hospital, its 400-member South Shore Physician Hospital Organization, and Harbor Medical Associates, a group practice for which the hospital performed lab tests. The hospital files may contain personal, health, and financial information.
Investigators working for South Shore concluded that the sealed boxes of computer tapes were probably sent to a commercial landfill along with other unclaimed shipments. The files would require specialized equipment and software to read the information, the hospital said.
In light of the findings, the hospital said it has dropped plans to send letters informing potentially affected people about the lost health and financial data and will rely instead on notices published in newspapers and on the hospital’s and physicians’ websites, and on signs posted in their offices.
That approach, while legal in cases affecting more than 500,000 people, drew an objection yesterday from state Attorney General Martha Coakley. “They had originally confirmed for us that they were going to be notifying individuals privately at their homes about the missing data,’’ said Amie Breton of the attorney general’s office. “We are concerned that some consumers might miss the information that their data could have been compromised.’’
The hospital defended its decision to not mail notices to consumers. “We’re confident that we have followed state law to inform our community of both the results of the investigation and the steps they can take to protect themselves,’’ hospital spokeswoman Sarah Darcy said.
Coakley’s office will continue to monitor and investigate the hospital with regard to the data breach and the response, Breton said.
Elizabeth Cooney can be reached at firstname.lastname@example.org.