PHI of 10,000 Patients Exposed in Massachusetts General Hospital Data Breach

Around 10,000 patients are being notified that their data may have been accessed by an unauthorized individual following a data security incident at Massachusetts General Hospital (MGH). 

On June 24, 2019, MGH discovered that unauthorized individuals had accessed computer applications used by researchers in its Department of Neurology. Upon discovery of the breach, MGH immediately took steps to revoke the unauthorized access and secure the applications and associated databases. 

An investigation was immediately launched to determine the scope of the breach. MGH hired a third-party cybersecurity organization to facilitate the breach investigation. The investigators concluded that the unauthorized individual could have accessed the protected health information (PHI) of around 10,000 patients. 

The investigators concluded that two applications had been subjected to unauthorized access between June 10 and June 16, 2019.

The databases were used by researchers associated with specific neurology research studies. The types of information in the databases varied from patient to patient and may have included names, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments and results, and other research information, including date of death and details of autopsy results. 

The breach did not affect highly sensitive information such as Social Security numbers, financial information, and health insurance information were not exposed, thereby reducing the risk of affected patients becoming victims of fraud. 

MGH has informed federal law enforcement of the breach. 

Based on the findings of the investigation and the nature of the information exposed, MGH does not believe affected individuals need to take any special precautions to protect themselves against identity theft. 

 MGH has stated it intends to conduct a review of its security processes for research programs and intends to implement new security measures to prevent similar breaches in the future.