Massachusetts General Hospital Data Breach Impacts 10,000 Patients
Aug23

Massachusetts General Hospital Data Breach Impacts 10,000 Patients

Massachusetts General Hospital (MGH) has discovered computer applications used by researchers in its Department of Neurology have been subjected to unauthorized access. The individual responsible would have been able to access the protected health information of approximately 10,000 patients. MGH discovered the breach on June 24, 2019 and immediately terminated access to the applications and databases. An investigation was launched, and a forensic investigator was engaged to help determine the nature and scope of the breach. The investigation confirmed that two applications had been subjected to unauthorized access between June 10 and June 16, 2019. Via the applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. The types of information in the databases varied from patient to patient and may have included: Name, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments...

Read More
HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records
Aug23

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA. The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law. SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment. Since 1975, further privacy and security laws have...

Read More
Why Are Hackers Targeting the Healthcare Industry?
Aug22

Why Are Hackers Targeting the Healthcare Industry?

The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers. For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were. The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats. Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors. Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a...

Read More
Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised
Aug22

Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is notifying 2,943 patients that some of their health information was stored on a server which was subjected to unauthorized access on June 19, 2019 when a hacker gained access to its network. The breach was detected the same day and the network was secured. A third-party computer forensics firm was hired to assist with the investigation and help determine the nature and extent of the breach. The compromised servers did not contain the medical records of all patients, only records of patients who received medical services between May 1, 2019 and June 12, 2019.  The forensic investigation did not uncover any evidence to suggest patient information was viewed or copied and no reports have been received to suggest patient information has been misused. For the majority of affected patients, the breach was limited to names, dates of birth, and clinical information. A small subset of patients also had their Social Security number exposed. Patients whose Social Security number was exposed have been offered complimentary credit...

Read More
Medical Records of Western Connecticut Health Network Patients Exposed
Aug22

Medical Records of Western Connecticut Health Network Patients Exposed

Nuvance Health has started notifying certain Western Connecticut Health Network (WCHN) patients that some of their protected health information has been exposed. On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent via the U.S. Postal Service (USPS), but the package was damaged in transit, exposing the contents of the package. WCHN was notified and retrieved the damaged package from the USPS. A spokesperson for WCHN said there was no indication that any information had been removed and misused and that the package did not appear to have left the custody of the USPS until it was collected by WCHN personnel. WCHN has now changed its procedures for sending protected health information to ensure similar incidents are prevented in the future. Patients were notified on August 19, 2019. The types of information in the records was limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results. 4,000 Arizona State University Students Notified...

Read More