Massachusetts General Reports HIPAA Breach Involving Nearly 10,000 People
Hospitals continue to be considered targets for cyber-attacks
Massachusetts General Hospital (MGH) reported an incident of unauthorized access to computer applications that its Department of Neurology uses for research studies. The individual responsible could have accessed multiple databases for various studies, and, depending on the database, would have been able to access different information of approximately 10,000 patients. MGH reported that the information accessed may have included study participants’ names, marital status, age, dates of birth, sex, race, ethnicity, dates of visits and tests, medical record numbers, diagnoses, treatment information, biomarkers, genetic information, assessments and results, and other research information, including dates of death and details of autopsy results. MGH noted that other sensitive information including Social Security Numbers, financial information, and health insurance information were not exposed. Immediately following the discovery of the unauthorized access, MGH hired a third-party forensic investigator to determine the nature and scope of the incident and took steps to prevent further unauthorized access and restore the involved applications and databases. The investigation confirmed that two applications had been subjected to unauthorized access in June of this year. Using these applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. MGH has provided notification to affected individuals, the Office for Civil Rights, and substitute notification on its website.
Strategic Management compliance consultants have over 40 years of experience providing research, analysis, and program support for privacy and security rule compliance. Call us at (703) 683-9600 or contact us online for a tailored assessment of your organization’s particular needs.Subscribe to blog