A third-party firm contracted out by a Massachusetts hospital to destroy sensitive computer files cannot confirm that it wiped the information leaving hundreds of thousands of patients at risk to identity theft.
The names, addresses, Social Security numbers and, in some cases, credit card data, of up to 800,000 people may have been lost, according Weymouth, Mass.-based South Shore hospital. In addition, the lost data files contained information on doctors, staff members and donors.
The data was not encrypted. Hospital officials declined to name the contractor hired to destroy the files, but said the information is in a state that would take proprietary software to decipher. The data was collected between Jan. 1, 1996, and Jan. 6 of this year and was scheduled to be destroyed as part of the hospital's data destruction policies.
The lost backup data files also contained sensitive medical information including health plan identification numbers, treatments and visits. The hospital will notify individuals who may have been affected by the lost information.
The hospital shipped the files offsite for destruction Feb. 26. When no certificates of destruction were provided, the hospital contacted the data management company for an explanation. The hospital found out on June 17 that only a portion of the shipped backup files had been received and destroyed.
"I am deeply sorry that these files may have been lost," Richard H. Aubut, South Shore Hospital president and chief executive officer said in a statement. "I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information."
The hospital is no longer using offsite data destruction services and has put in place policies to ensure that backup data can no longer be lost, Aubut said. The investigation into the matter remains ongoing, he said.
The last major data breach by a health care provider was last November at Health Net Inc., which lost sensitive data on 1.5 million people. An employee at the Woodland Hills, Calif.-based managed health care provider could not find an external hard drive containing the information.