Hospital warns 800,000 patient records may be missing

Filed Under: Data loss

South Shore Hospital
South Shore Hospital, in Weymouth, Massachusetts, has found itself in the highly embarrassing situation this week of admitting that the personal information of about 800,000 patients may have been lost in what can only be described as a data destruction disaster.

On February 26th, the hospital shipped backup computer files - containing the personal identifiable information of approximately 800,000 patients, staff, volunteers and business partners - to a third-party company - expecting them to be destroyed.

The hospital noticed that it hadn't received a certificate from the data management company to confirm that the personal, medical and financial information had been destroyed - and on June 17th was finally informed that only a portion of the shipped back-up files has been received and destroyed.

That's bad news if it was your name, address, phone number, date of birth, Social Security number, medical history or even (in some cases) bank account and credit card information that was lost.

A letter from the hospital's president and CEO, Richard H Aubut, to affected patients is due to be sent out in the coming weeks warning them of the risk of identity theft.

Sample letter from South Shore Hospital

The hospital has published an FAQ on its website where it provides information for concerned individuals who may be worried that their personal information has been lost.

My immediate thought on hearing the news on this data loss was "Why on earth wasn't this sensitive information encrypted?". After all, if the records were encrypted then even if they were lost, no-one would be able to do anything with them unless they were able to crack the password.

The hospital has an answer for this, however. In their website FAQ they give this explanation:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

Hmm.. I wonder what that actually means. Let's hope they're right, and up to 800,000 people aren't put in peril because of this sloppy affair.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.