Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses, test results and genetic information at Massachusetts General Hospital (MGH).
Officials at the Boston-based hospital said they learned on June 24 that an unauthorized third party accessed databases related to two computer research applications used within the department of neurology, MGH said in a statement.
Approximately 9,900 research participants had information available on the databases.
An investigation revealed that the incident occurred between June 10 and June 16. During that time, the unauthorized third party may have had access to individuals' first and last names, demographic information, dates of birth, dates of study visits and tests, medical record numbers, type of study and research study identification numbers, diagnosis and medical history as well as biomarkers and genetic information.
For deceased research participants, the research data included date of death, and, when available, summary autopsy results.
The research data didn't include any participant’s social security number, insurance information or any financial information, and the incident did not involve the hospital's medical records system, MGH said.
"As soon as MGH discovered this incident, it took steps to prevent further unauthorized access and restore the affected research computer applications and databases," the hospital said in a statement.
MGH also noted that it had engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution. "MGH continues to review and enhance the security processes in place for its research programs," the hospital said.
While the privacy incident did not expose social security numbers, medical-related information has value to cybercriminals both on its own and when combined with other breached data that are widely available on the black market, said Matthew Gardiner, cybersecurity strategist at Mimecast, a cybersecurity solutions provider.
"This type of medical-related data, for example, can be used in various forms of identity theft, blackmailing of patients with diagnoses that they prefer to keep private, and building false trust as part of targeted phishing and impersonation attacks," he said.
MGH did not name the vendor of the computer applications impacted by the privacy incident, but it is possible that the third-party breach could impact other healthcare organizations, said David Holtzman, executive adviser at cybersecurity firm CynergisTek.
"As we've seen with other incidents involving vendors of information services to healthcare organizations, they tend to serve more than one entity at a time," said Holtzman, a former senior adviser to the Department of Health and Human Services' Office for Civil Rights for health information technology and the HIPAA Security Rule.
A massive data breach at a third-party billing collections firm, the American Medical Collection Agency (AMCA), impacted at least four clinical labs and potentially exposed over 22 million patients' data.
Tim Erlin, vice president for product management and strategy at Tripwire, a cybersecurity technology company, said MGH's statement provides scant details about how the breach occurred.
"While disclosing as little information as possible might seem helpful to MGH, it prevents the larger community from learning from this incident," he said.
The incident at MGH, as well as the AMCA breach, exposes the risks of not properly managing third-party security risks, cybersecurity experts say.
More than half of hospitals (56%) have experienced one or more vendor-related data breaches in the past two years, at an average cost of $2.9 million, according to a Ponemon report.
"At the end of the day, the HIPAA covered entity is left holding the bag," Holtzman said, noting that healthcare organizations need to do more robust risk assessments of any vendor or subcontractor that handles the organization's healthcare data, including protected health information or personally identifiable information.
"Organizations need to be much more aware of what data they are sharing with third-party vendors and what kind of security practices these third-party vendors employ. It is simply not enough to merely comply with the HIPAA requirements to obtain the business associate agreement," Holtzman said.
Healthcare organizations also should require vendors to perform these same risk management assessments of any subcontractors that handle healthcare data.