Mass General Brigham Terminates Two Employees for Privacy Violations
Mass General Brigham in Boston, MA, has announced that two employees have been terminated over a privacy breach identified on April 4, 2024. An investigation was launched after the health system learned that the two employees allowed a third individual – who was not employed by Mass General Brigham – to perform some of their job duties that may have resulted in patients’ personal information being viewed. The investigation concluded on May 28, 2024, and confirmed that the alleged offenses occurred between February 26, 2024, and April 4, 2024.
The Health Insurance Portability and Accountability Act (HIPAA) requires protected health information (PHI) to be safeguarded at all times and prohibits disclosures of PHI to unauthorized individuals unless a valid authorization has been obtained from the individuals concerned in advance. Mass General Brigham had employment and privacy policies in place and said those policies were violated by the employees resulting in the employees’ immediate termination. Mass General Brigham did not disclose the relationship between the third person and the former employees.
The investigation confirmed that the information potentially viewed included names, addresses, medical record numbers, date of birth, phone numbers, email addresses, and health insurance policy numbers. Clinical information may also have been viewed, which included information about their visits or admissions to Mass General Brigham facilities, such as the reason for the visit, diagnosis, visit/admission date, and location. Some of the affected patients also had their Social Security numbers and/or financial information exposed, and some guarantor information may also have been viewed. Mass General Brigham said none of the affected individuals had financial account numbers exposed.
Mass General Brigham said in addition to terminating the employees, steps have been taken to prevent similar incidents in the future, including enhancing its employee training and the processes for its security alert system. As a precaution against identity theft and fraud, the affected patients have been offered 24 months of complimentary credit monitoring and identity theft protection services through IDX.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On June 28, 2024, two unauthorized access/disclosure breaches were reported to the HHS’ Office for Civil Rights (OCR), one by Mass General Brigham Health Plan that affected 3,659 individuals and another by Mass General Brigham Incorporated that affected 655 individuals.
