A malware attack discovered by Partners HealthCare System nearly nine months ago may have compromised information for more than 2,600 patients, according to the Boston health system.
Partners, an integrated system that includes Massachusetts General Hospital and Brigham and Women’s Hospital, discovered that malware attack in May 2017 after monitoring systems identified suspicious activity. Although officials and forensic consultants quickly determined Partners was not a specific target of the attack, an investigation revealed that malware led to unauthorized access between May 8 and May 17.
The incident occurred at the same time as last year’s WannaCry attack, but a spokesperson for Partners said the attack was not connected to the global attack. Shortly after WannaCry, physicians at Partners HealthCare argued that cyberattacks should be viewed as a public health threat.
A subsequent review indicated that patient data was among the information that may have been accessed. However, it took months to complete a manual data analysis since the impacted data was “mixed together with computer codes, dates, numbers and other data,” according to an announcement by Partners.
Although the investigation determined the malware attack did not impact the system's EHR, some patient information may have been compromised, including Social Security numbers, dates of service and “certain limited clinical information” such as diagnosis, procedure type and medication.
Partners says it is not aware patient information has been misused in any way but is notifying the 2,600 patients and providing free credit monitoring as a precautionary measure. The system also said it has implemented measures to enhance its security program including additional “controls and procedures and continuing to actively monitor systems for unusual activity.”