McLean Hospital Brain Donators Have PHI Exposed

Another Partners HealthCare hospital has suffered a data breach; this time potentially exposing the Protected Health Information (PHI) of 12,600 individuals who donated their brains to medical research.

The latest data breach involved the loss of backup tapes containing patient names, dates of birth, Social Security numbers and medical diagnoses.

The incident is not believed to have involved malicious insiders, and the probability of the data being accessed or used inappropriately is understood to be low. The backup tapes were not encrypted, but according to a statement released by McClean Hospital, the psychiatric facility in Belmont, Mass., “It would take specialized software, equipment, and technical expertise in order to access the information on the tapes.”

The tapes were stored in Partners Healthcare’s Harvard Brain Tissue Resource Center and were declared missing on May 29, 2015. The data related to individuals who had agreed to donate their brains – or some brain tissue – to the hospital after their death. Many of the victims are now deceased, although some family members’ data was also stored on the tapes.

After the tapes were discovered to be missing, McLean hospital started an investigation to determine the exact nature of the data stored on the tapes, and which patients had been affected.

Hospital spokeswoman, Adriana Bobinchock, confirmed that the investigation took some time to complete, which delayed the issuing of breach notification letters. The investigation has now been concluded and all affected patients are now being notified by post of the potential data breach. The backup takes have still not been located.

Bobinchock confirmed that the data breach has now been reported to federal regulators and the Massachusetts Attorney General has also been informed. The Massachusetts attorney general’s office is an active enforcer of HIPAA regulations, and investigates data breaches involving state residents. Numerous fines have already been issued for violations of state and HIPAA Rules.

In January, 2013, the attorney general reached a settlement with Marblehead-based Goldthwait Associates after the company mishandled and improperly disposed of 67,000 patient records. Last year, Boston’s Beth Israel Deaconess Medical Center settled for $40,000 for a data breach involving 2,159 patients.

The Mass. attorney general also issued a fine of £150,000 to the Women & Infants Hospital in 2012 for the loss of unencrypted back-up tapes containing the personal information of approximately 12,000 Massachusetts residents. McClean Hospital could well face a similar fine.

This is the second data exposure to be suffered by a Partners HealthCare hospital this year. In April, the health system suffered a data breach that exposed the information of approximately 3,300 patients from six of its hospitals in the Boston area, after members of staff responded to phishing emails; providing hackers with access a number of company email accounts.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.