Hospital warns 800,000 patient records may be missing

South Shore Hospital
South Shore Hospital, in Weymouth, Massachusetts, has found itself in the highly embarrassing situation this week of admitting that the personal information of about 800,000 patients may have been lost in what can only be described as a data destruction disaster.

On February 26th, the hospital shipped backup computer files – containing the personal identifiable information of approximately 800,000 patients, staff, volunteers and business partners – to a third-party company – expecting them to be destroyed.

The hospital noticed that it hadn’t received a certificate from the data management company to confirm that the personal, medical and financial information had been destroyed – and on June 17th was finally informed that only a portion of the shipped back-up files has been received and destroyed.

That’s bad news if it was your name, address, phone number, date of birth, Social Security number, medical history or even (in some cases) bank account and credit card information that was lost.

Sign up to our free newsletter.
Security news, advice, and tips.

A letter from the hospital’s president and CEO, Richard H Aubut, to affected patients is due to be sent out in the coming weeks warning them of the risk of identity theft.

Sample letter from South Shore Hospital

The hospital has published an FAQ on its website where it provides information for concerned individuals who may be worried that their personal information has been lost.

My immediate thought on hearing the news on this data loss was “Why on earth wasn’t this sensitive information encrypted?”. After all, if the records were encrypted then even if they were lost, no-one would be able to do anything with them unless they were able to crack the password.

The hospital has an answer for this, however. In their website FAQ they give this explanation:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

Hmm.. I wonder what that actually means. Let’s hope they’re right, and up to 800,000 people aren’t put in peril because of this sloppy affair.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.