St. Elizabeth’s tells of data breach

Billing information possibly compromised

St. Elizabeth’s Medical Center said Friday it is notifying 6,831 patients that their billing information, including credit card numbers and security codes, may have been compromised when documents the hospital planned to shred were removed by a vendor from a building scheduled for demolition.

The papers did not include personal medical information and so far, there have been no reports that any of the billing data contained in the documents has been misused, according to hospital officials.

St. Elizabeth’s, in Boston’s Brighton neighborhood, released a statement saying it was alerted Feb. 3 by an individual who reported finding papers from the hospital blowing through a field in Charlestown. They contained cashier’s receipts for credit card payments made by five patients at St. Elizabeth’s surgical day center and other outpatient services.


While the individual reported seeing other papers but did not retrieve them, St. Elizabeth’s said representatives sent to the scene were unable to find any other documents. The hospital is owned by Boston-based Steward Health Care System, a chain of community hospitals.

“St. Elizabeth’s Medical Center had hired certain trusted vendors to begin clearing out the building on Jan. 30, 2012,’’ the hospital said in a statement. “All materials containing either a patient name or personal information were supposed to have been shredded.’’

Hospital officials have no evidence that information for more than five patients was lost, but said they decided to alert all patients whose information had been stored in the office where the five patients’ records were kept. The receipts found included patients’ names, hospital account numbers, and credit card numbers, security codes, and expiration dates.

“We take patients’ information very seriously, and we’re reviewing our policy, and our training procedures to make sure this never happens again,’’ said hospital spokesman Chris Murphy.

The incident marked the second health care data breach in the region in recent weeks. On March 23, CVS Caremark Corp. said it had mistakenly sent letters to about 3,500 Tufts Health Plan members, giving them personal information about the medical conditions and medications of other members enrolled in a supplemental Medicare plan managed by Tufts.


That mistake was caused by an unspecified “programming error’’ by CVS Caremark, the pharmacy benefits manager for the Tufts Medicare Preferred Plan.

Robert Weisman can be reached at weisman@globe.com.