For Immediate Release - September 08, 2010

Attorney General Martha Coakley: 800,000 Consumers Affected by South Shore Hospital Data Breach to Receive Substitute Notification

Consumers should be aware that they will not receive individual written notice by South Shore Hospital

BOSTON - On Monday, July 19, 2010, South Shore Hospital announced that certain back-up computer files, possibly containing the personally identifiable information and/or protected health information of approximately 800,000 individuals, may have been lost by a professional data management company when the information was sent off-site to be destroyed. South Shore Hospital initially informed the Attorney General's Office and the public that it would send individual written notice of the data breach to each affected consumer. However, South Shore Hospital has informed the Attorney General's Office that it does not plan to send individual written notice to affected consumers. Instead, South Shore Hospital has chosen to invoke a provision under state law to notify consumers through the "substitute notice" process, which means rather than receiving individual letters at their homes, consumers who are affected by the breach will be generally notified of the data loss through a posting on South Shore Hospital's website, publication in newspapers throughout the Commonwealth, and by e-mail for those consumers for whom South Shore Hospital has e-mail addresses.

The Attorney General's Office has objected to South Shore Hospital's revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss. The Attorney General's Office will continue to monitor and investigate South Shore Hospital's actions with regards to the data breach and its response.

Since South Shore Hospital made its announcement on July 19, 2010, and advised the Attorney General's Office that certain patients of Harbor Medical Associates, PC as well as vendors associated with South Shore Physician Hospital Organization and patients receiving care from its member physicians may have been included among the 800,000 individuals affected by the data loss. Harbor Medical Associates, PC and Shore Physician Hospital Organizations have likewise informed the Office of the Attorney that they do not plan to send out individual notices but will join South Shore Hospital in publishing notices in newspapers, on their respective websites and providing email notification where appropriate.

Attorney General Martha Coakley's Office advises that the following individuals should assume that their personal information and/or protected health information has been affected by the breach and should consider taking the precautionary steps described below:

1) all patients, employees, volunteers, donors, vendors, and other business partners associated with South Shore Hospital between January 1, 1996 and January 6, 2010;

2) all Harbor Medical Associates, PC patients during the period July 1, 2004 to January 6, 2010;

3) all patients whose care was provided by South Shore Physician Hospital Organization member physicians between January 1, 1999 and January 6, 2010; and

4) all vendors with whom South Shore Physician Hospital Organization has done business from January 1, 2001 to January 6, 2010.

If you believe you are affected, South Shore Hospital has posted information about this data loss on its website at www.southshorehospital.org and this information is available through a special automated toll-free Information Line at (888) 533-3000.

Individuals may also visit Harbor Medical Associates, PC website at www.harbormedical.com, or the South Shore Physician Hospital Organization website at www.sspho.org.

Attorney General Martha Coakley's Office reminds consumers of the following information on how to protect their health records, credit and financial information against identity theft.

Protecting Your Financial Information:

1. Call one of the three major credit bureaus and place a fraud alert on your credit report:

  • Equifax: Call (800) 525-6285, www.equifax.com, or write: P.O. Box 740241, Atlanta, GA 30374-0241.
  • Experian: Call (888) 397-3742, www.experian.com, or write: P.O. Box 9532, Allen, TX 75013.
  • TransUnion: Call (800) 680-7289, www.transunion.com, or write: Fraud Victim Assistance Division, P.O. Box 6790 Fullerton, CA 92834-6790.

Consumers only need to call one of the three credit bureaus; the one you contact is required by law to contact the other two credit bureaus. This one-call fraud alert will remain in your credit file for at least 90 days. When you place a fraud alert on your credit report, you are entitled to order one free credit report from each of the three nationwide consumer reporting agencies.

2. Order a copy of your credit report, and look for unauthorized activity. Look carefully for unexplained activity on your credit report.

3. If there is unexplained activity on your credit report, you may want to place an extended fraud alert on your credit report. In order to do this, you need to file a police report with your local police department, keep a copy for yourself, and provide a copy to one of the three major credit bureaus. Then an extended fraud alert can be placed on your credit file for a 7-year period. This will mean that any time a user of your credit report (for instance, a credit company of lender) checks your credit report, it will be notified that you do not authorize any new credit cards, any increase in credit limits, the issuance of a new card on an existing account, or other increases in credit, unless the user takes extra precautions to ensure that it is giving the additional credit to you (and not to an identity thief).

4. If there is unexplained activity on your credit report, you may also want to consider placing a security freeze on your credit reports. Massachusetts consumers can place a security freeze on their credit reports. In most instances, a security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. Consumers should be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing or other lines of credit.

If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, the credit reporting agency cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you $5 fee for each placing, temporary lifting or removing of a security freeze.

To place a security freeze on your credit report, you should send a written request to each of the three nationwide consumer reporting agencies by regular, certified or over night mail at the addresses below:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013

TransUnion
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834

In order to request a security freeze, you must:

  • Provide your full name (including middle initial as well as Jr., Sr., II, III, etc.,) address.
  • Social Security number, and date of birth;
  • If you have moved in the past 5 years, supply the addresses where you have lived over the prior 5 years;
  • Provide proof of current address such as a current utility bill or phone bill;
  • Send a photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.);
  • If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft;
  • If you are not a victim of identity theft, include payment by check, money order or credit card. Do not send cash in the mail.

Protecting Your Medical Information:

Medical identity theft occurs when someone uses your personal information without your knowledge or consent to obtain, or receive payment for, medical treatment, services, or goods. Victims of medical identity theft may find that their medical records are inaccurate, which can have a serious impact on their ability to obtain proper medical care and insurance benefits.

To detect medical identity theft, consider the following steps:

  • Closely monitor any "Explanation of Benefits" sent by public or private health insurers. If anything appears wrong, raise questions with the insurer or the provider. Do not assume that there are no problems simply because you may not owe any money.
  • Request a listing of benefits paid in your name by any health insurers that might have made such payments on your behalf. Do this once a year (or more often, if you believe there is cause for concern).
  • Monitor your credit reports with the nationwide credit reporting companies listed above (Equifax, Experian, and TransUnion) to identify reports of medical debts.
  • Request copies of your current medical records from each health care provider and review your records for inaccuracies. Note that you will likely have to complete a form and pay a fee for a copy of these records

##########