Massachusetts General Hospital Reports PHI Incident

Massachusetts General Hospital (MGH) has announced that some patients of its dental group had their protected health information exposed earlier this year. The security breach occurred at one of the healthcare provider’s business associates, Patterson Dental Supply Inc., (PDSI).

MGH first became aware of the security breach on February 8, 2016. Under normal circumstances, patients would have been notified of the breach within 60 days of discovery – the time frame stipulated in the HIPAA Breach Notification Rule. However, the intrusion was reported to law enforcement which requested MGH delay the issuing of breach notification letters so as not to interfere with the investigation.

The investigation continued, but on May 26, 2016., MGH was given permission by law enforcement to start notifying patients of the breach. A substitute breach notice was uploaded to the MGH website on June 29, 2016., just over a month later. According to that notice, “we began notification as quickly as possible once we completed our investigation.

The investigation revealed that some patient files that were stored by PDSI – a provider of dental practice management software – were accessed by an unauthorized third party early in 2016. The breach involved the PDSI’s Eaglesoft software, which is used by dentists to manage patient information.

The breach exposed the data of 22,000 patients in total, which were spread across a number of different dental companies. The data breach has not yet appeared on the Office for Civil Rights breach portal, so it is unclear at this stage how many MGH patients have been affected.

The data accessed by the unauthorized third party potentially included patients’ names, Social Security numbers, and dates of birth. Some patients’ appointment dates, appointment types, provider names, and medical record numbers were also exposed.

Patients face an increased risk of identity theft and fraud following a data breach and are offered credit monitoring and protection services, in this case patients were not. That decision may have been linked to the nature of the breach. Rather than PDSI being hacked, data was “exposed” when a security researcher discovered vulnerabilities with PDSI’s software that could potentially be exploited by malicious actors.

Security Research Justin Shafer, who had previously exposed the security flaws in Dentrix dental management software, also demonstrated that PDSI lacked certain data security protections related to its Eaglesoft software. Shafer discovered an anonymous FTP server allowed anyone access to patient data.

Additionally, Shafer discovered that “Eaglesoft has been using “dba” as a username and “sql” as a password for years and years and years,” according to a statement posted on Shafer notified PDSI of the security issues after discovering files could be accessed. The discovery was not made public until after the files and FTP server had been secured.

However, accessing an unprotected open FTP server is illegal under the Computer Fraud and Abuse Act (CFAA). Shafer’s home was raided by the FBI on May 27, 2016., in connection with the PDSI breach after a complaint was made by PDSI.

Fortunately for patients of dental clinics that use Eaglesoft software, the security flaws were discovered by a researcher and not a malicious actor.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.