I've Been Mugged Blog

On July 19, South Shore Hospital in Weymouth Massachusetts announced details about a data breach, where 800,000 patients' records from the last 14 years were lost by a data management vendor. The hospital shipped backup computer files on February 26, 2010 to the data management vendor for off-site destruction. The hospital became concerned when it did not receive confirmation from the vendor of destruction of the computer files.

The lost, or stolen, computer files contained sensitive personal and medical information about hospital employees, doctors, volunteers, donors, vendors and business partners. The hospital stated in a press release:

"The information on the back-up computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files."

May include? An organized hospital should know what is on those lost/stolen backup data tapes. After all, it had over four months -- from late February into July -- to investigate and determine exactly what was on those data tapes.

And, the information on these backup computer files encrypted. It should have been.

Moreover, the delay between discovery of the breach and notification was too long. I see this type of delay repeatedly in data breaches. A 4+-month delay in notification to breach victims gives identity criminals plenty of time to do damage. The announcement and the delay give the impression that the hospital did not have a breach response plan:

"The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing."

Moreover, the hospital had not yet notified its breach victims at the time of the announcement. It said it would notify breach victims during the coming weeks. Weeks?

In my opinion, that is not good and simply sloppy. This breach is a disaster for any health care organization as the lost (or stolen) information is pure gold for identity thieves: everything needed to gain health care fraudulently and/or open new lines of credit.

Experts advise patients, employees, former employees, contractors, or vendors of South Shore Hospital to check your credit reports for fraudulent entries. The hospital listed the telephone numbers for the three major credit reporting agencies in its Sample Individual Notification letter. The ID-Theft Resources page in this blog lists the website addresses of the three major credit reporting agencies.

If you discover fraud (e.g., bogus entries in your credit reports, another person's medical information in your medical records, another person has committed a crime in your name, etc.), the hospital's Sample Individual Notification letter correctly advised breach victims to:

• File a police report with local law enforcement (and keep copies -- you'll need them later)
• File an identity theft complaint with the U.S. Federal Trade Commission
• Access the official site -- annualcreditreport.com -- to get free copies of your credit reports from the three major credit reporting agencies
• Notify the credit reporting agencies in writing of any errors or fraudulent entries on your credit reports
• For protection, place a Fraud Alert or your credit reports. If you have experienced fraud, use a Security Freeze instead. Not sure? Browse the differences.

However, the hospital should have done more. First, the standard post-breach response is for an organization to its provide breach victims with free credit monitoring services. And that service should provide credit resolution services, since it will cost breach victims much time and money to repair their credit files. South Shore Hospital didn't offer this service in either its press release or Sample Individual Notification letter.

How long for complimentary credit monitoring? IBM provided its breach victims, including me, with one year, but other companies and hospitals have provided two years. The longer, the better.

Second, it is extremely difficult to correct medical files when another person has used your personal information to obtain health care fraudulently. Any identity monitoring and resolution service should also help breach victims with this. After its data breach of 1.5 million records, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims. Earlier this year, AvMed offered its 1.2 million breach victims complimentary services with Debix. Debix provides services that cover both credit files and health records.

Third, the hospital should setup a website to answer common questions breach victims typically have, to share the results of the breach investigation, and to present actions the hospital is taking so this breach doesn't happen again. For many consumers this will be their first experience with a data breach and identity theft. A certain amount of guidance and assistance are appropriate.

Fourth, the hospital should have named the data management vendor in its initial press release. In later news reports we learned that the data management vendor, Archive Data Solutions, had subcontracted the work to another company. That's still no excuse. Consumers deserve timely breach notification, and the hospital's contract has to anticipate this.

Fifth, I was surprised that the hospital's Sample Individual Notification did not mention, for breach victims that are also Massachusetts residents, the Massachusetts Attorney General website which contains several identity theft resources, including this handy guide for fraud victims (PDF format, 113K bytes). This is appropriate content for a post-breach support website, too. WHDH reported several tips from the Attorney General's office for breach victims to protect their medical records.

What do you think? If you are a South Shore Hospital breach victim and received a breach notification letter, we would like to hear your experience.