HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Error Results in Massachusetts General Hospital Data Breach

The spate of employee emailing errors continues, with the latest entry in the Office for Civil Rights “Wall of Shame” being a recent Massachusetts General Hospital data breach; another example of how a simple mistake can result in the Protected Health Information of hundreds of patients being exposed.

The latest Massachusetts General Hospital data breach exposed the data of 648 patients, and included patient names, laboratory test results and a limited number of Social Security numbers, although no insurance information or financial data were exposed.

The security incident involved an email that was inadvertently sent to an incorrect recipient; potentially disclosing patient data. The error was identified promptly and the hospital made several attempts to recall the message, but those attempts proved to be unsuccessful. Deborah A. Adair, Massachusetts General Hospital’s Privacy Officer, confirmed in a letter to New Hampshire Attorney General, Joseph Foster, that no evidence has been uncovered to suggest that the data have been used inappropriately; although the letter did not state that the email and patient data have been successfully deleted.

Adair said, “As a precaution, we are notifying affected patients and offering eligible patients whose Social Security numbers were included in the email a complimentary one-year membership in credit monitoring and identity theft protection services from Experian.” Those services include identity restoration and a $1 million insurance policy against identity theft and credit fraud. Patients have been given three months to sign up for the services; which cannot be provided automatically due to privacy laws.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The hospital will also be undertaking a program of re-education of the staff to reiterate the importance of handing patient health data securely. Policies have also been changed as a result of the breach, and this type of data will no longer be sent via email due to the high risk of an error exposing patient data.

Massachusetts General Hospital is no stranger to data breaches. The healthcare provider was affected by the Partners Healthcare data breach announced in April this year. That breach exposed the records of 3,300 individuals, many of which were patients of Massachusetts General.

In 2011, a serious data breach exposed the data of 192 patients, for which the hospital was required to settle with the Office for Civil Rights for $1 million; clearly demonstrating that it is not the number of records exposed that dictates the financial penalty, but the seriousness of the breach and the HIPAA violations that caused it.

In that case, paper records were lost that contained health information, medical record numbers, health insurance policy numbers, diagnoses, and Social Security numbers of patients from the hospital’s Infectious Disease Associates practice. The information related to individuals who had contracted HIV/AIDS and other highly infectious diseases. The exposure of that data having considerable potential to result in harm and discrimination against the victims.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.