HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI

Partners HealthCare System is alerting approximately 2,600 patients that some of their protected health information has been compromised.

While HIPAA covered entities have up to 60 days following the discovery of a breach to report the incident to OCR (if the breach impacts 500 or more individuals) and notify breach victims, this incident occurred and was discovered in May 2017. The delay in reporting the incident was due to difficulty identifying patient data which was mixed together with computer code.

The breach was a malware incident that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system detected suspicious activity. Prompt action was taken to block the malware and third-party forensics consultants were called in to assist with the investigation.

The investigators concluded that this was not a targeted attack on Partners HealthCare, and the malware did not provide the attackers with access to its electronic medical record system. However, the investigation did reveal access to certain data was possible as a result of user activity on computers infected with the malware. That access was possible for 11 days between May 8 and May 17, 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As computers were identified as being impacted by the malware attack, action was taken to contain those devices and prevent further access to data. However, it took until July 11, 2017 before it was confirmed that the attackers potentially gained access to the protected health information of some of its patients, and a further five months to determine all of the patients that had been impacted by the malware attack.

In order to determine which patients had been impacted, and the range of data that had been compromised, a manual data analysis was necessary. Partners HealthCare reports that it was difficult to identify exposed data as it “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

The types of information that could potentially have been accessed included names, service dates, and limited clinical information such as diagnoses, procedure types, and medications. Some patients also had their Social Security and financial information exposed.

The malware attack has prompted Partners HealthCare to improve its security defenses and new controls and procedures have now been introduced.

The format of the exposed data means any attacker would similarly have had difficulty extracting information. Partners HealthCare says it has received no reports to suggest there has been any misuse of data.

The Department of Health and Human Services’ Office for Civil Rights may take an interest in this breach. Partners HealthCare knew in July that PHI was possibly involved, and it should have been clear during the following five months that was definitely the case. Further, Partners HealthCare said in its breach notice that the data analysis was completed in December, yet it took a further two months before notification letters were sent to affected patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.