[BreachExchange] MGH reports data breach that exposed information of nearly 10, 000 people

Destry Winant destry at riskbasedsecurity.com
Fri Aug 23 10:11:11 EDT 2019


Massachusetts General Hospital said Thursday that a data breach in its
neurology department has exposed the private information of nearly
10,000 people.

“An unauthorized third party” accessed data in two computer programs
used by researchers, Mass. General said.

The breach exposed data about participants in certain research
programs, including their names, dates of birth, medical record
numbers, and medical histories. Social Security numbers and financial
information were not disclosed, according to the hospital.

The incident occurred in June. The hospital has begun notifying people
who were affected.

“As soon as MGH discovered this incident, it took steps to prevent
further unauthorized access,” spokesman Michael Morrison said in a

“MGH also engaged a third-party forensic investigator to conduct a
review and has contacted federal law enforcement as a precaution,” he

The hospital said it does not believe that participants should take
any specific steps because of the breach. It provided a toll-free
number, 866-904-6219, for individuals who have any questions or would
like additional information about the incident.

“I think this goes to show you can never be too careful with patient
data,” Nilesh Chandra, a Boston-based health care expert at PA
Consulting, said in a statement. “Even for highly mature
organizations, a privacy centric approach is required in all aspects
of clinical and business operations to ensure that patient data is
handled securely.”

The breach at MGH is the latest such incident involving Boston-area
hospitals in recent years, including:

■   A 2012 breach at Beth Israel Deaconess Medical Center left
thousands of patients’ details vulnerable. The hospital later agreed
to pay a $100,000 state fine and improve the security of patient

■  In 2014, Boston Medical Center fired a transcription service after
a health care provider reported that the medical records of about
15,000 patients at the hospital were posted without password
protection on the vendor’s website used by physicians.

■  At McClean Hospital in Belmont, information about 12,600 people who
donated their brains to research went missing in 2015. The psychiatric
hospital agreed to pay $75,000 in a settlement with the state and to
beef up computer security.

■  A 2016 breach at Massachusetts General exposed personal data of
about 4,300 dental patients.

■  In 2018, Cambridge Health Alliance notified patients of a data
breach that resulted in billing information for 2,500 people landing
in the hands of an “unauthorized third party.”

More information about the BreachExchange mailing list