South Shore Hospital to pay $750,000 to settle data breach charges

It will cost South Shore Hospital in Weymouth $750,000 to settle charges related to a 2010 data breach that compromised the personal information of more than 800,000 people.

The settlement, approved Thursday in Suffolk Superior Court, included a civil penalty of $250,000 and $225,000 for a fund to be used by the office of Massachusetts Attorney General Martha Coakley to promote education on the protection of personal data. South Shore Hospital was also credited for $275,000 it spent on security measures following the breach.

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data,” said Coakley, who had sued the hospital under state and federal laws that require secure storage of personal information collected by hospitals.


The settlement is one of the biggest of its kind yet levied in Massachusetts. In 2009, Framingham-based retailer TJX Cos. paid Massachusetts $951,000 as part of a $9.75 million settlement with 41 states over a data breach that exposed 45.7 million credit and debit cards to possible fraud.

Get Talking Points in your inbox:
An afternoon recap of the day’s most important business news, delivered weekdays.
Thank you for signing up! Sign up for more newsletters here

In February of 2010, South Shore Hosipital contracted with a Pennsylvania company, Archive Data Solutions, to erase and resell 473 data tapes containing information on 800,000 individuals. None of the data were encrypted, and so they could be read by anyone with the right equipment and training.

The hospital did not inform Archive Data that the tapes contained sensitive information. The tapes were shipped to a Texas subcontractor in three boxes, but the hospital later learned that only one of the boxes arrived. The lost files have never been recovered, and there is no evidence that any of the personal data was ever misused.

Since the breach, “we’ve actually put in a great deal of new measures to protect personal information,” said hospital spokeswoman Sarah Darcy. “Everything — everything — is encrypted now.”

The hospital has established tougher requirements for the use of medical records on mobile devices, which could easily be lost or stolen, and employees have received additional training on the proper handling of patient data.


The theft or loss of sensitive digital data is not unusual. According to a report released last month by the state’s Office of Consumer Affairs and Business Regulation, there have been about 1,800 reported data breaches in Massachusetts in the past four years, exposing the personal data of 3.2 million people — about half the state’s total population.

Hiawatha Bray can be reached at