The fines include a $250,000 civil penalty and a payment of $225,000 for an education fund to be used to promote education regarding the protection of personal information. The remaining $275,000 has been credited to the hospital to recognize the security measures it implemented following the breach.
"Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form," Massachusetts Attorney General Martha Coakley said in a statement.
"In February of 2010, the hospital contracted with a Pennsylvania company, Archive Data Solutions, to erase and re-sell 473 data tapes containing information on 800,000 individuals," writes The Boston Globe's Hiawatha Bray. "None of the data was encrypted, and so it could be read by anyone with the right equipment and training. The hospital did not inform Archive Data that the tapes contained sensitive information. The tapes were shipped to a Texas subcontractor in three boxes, but the hospital later learned that only one of the boxes arrived."
"The Attorney General said the hospital not only failed to notify Archive Data Solutions of the sensitive information stored on the files but did not establish if the contractor had the proper security measures in place to protect the information, violating U.S. legislation," writes iTnews' Marcos Colon.
"All available evidence indicated that the back-up computer files were most likely disposed of in a secure commercial landfill and were therefore unrecoverable," the hospital said in a statement. "In the two years since the back-up computer files were reported as missing, there remains no evidence that any information on the files has ever been accessed or used by anyone."