South Shore Hospital, in Weymouth, Massachusetts, has found itself in the highly embarrassing situation this week of admitting that the personal information of about 800,000 patients may have been lost in what can only be described as a data destruction disaster.
On February 26th, the hospital shipped backup computer files – containing the personal identifiable information of approximately 800,000 patients, staff, volunteers and business partners – to a third-party company – expecting them to be destroyed.
The hospital noticed that it hadn’t received a certificate from the data management company to confirm that the personal, medical and financial information had been destroyed – and on June 17th was finally informed that only a portion of the shipped back-up files has been received and destroyed.
That’s bad news if it was your name, address, phone number, date of birth, Social Security number, medical history or even (in some cases) bank account and credit card information that was lost.
A letter from the hospital’s president and CEO, Richard H Aubut, to affected patients is due to be sent out in the coming weeks warning them of the risk of identity theft.
The hospital has published an FAQ on its website where it provides information for concerned individuals who may be worried that their personal information has been lost.
My immediate thought on hearing the news on this data loss was “Why on earth wasn’t this sensitive information encrypted?”. After all, if the records were encrypted then even if they were lost, no-one would be able to do anything with them unless they were able to crack the password.
The hospital has an answer for this, however. In their website FAQ they give this explanation:
These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.
Hmm.. I wonder what that actually means. Let’s hope they’re right, and up to 800,000 people aren’t put in peril because of this sloppy affair.