HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Causes Partners HealthCare System HIPAA Breach

Partners Healthcare has announced that it has suffered a HIPPA breach after hackers used a phishing attack to gain access to some of its email accounts. While the company’s EHR system was not compromised, the email accounts did contain some PHI and approximately 3,300 patients are believed to have been affected.

Partners Healthcare believes that PHI may not have actually been obtained by criminals as there was no evidence discovered that this was the case, although it is possible that Social Security numbers and some clinical information – including diagnoses, treatments and medical appointments – were accessible through the email account, as were patient names, dates of birth, contact telephone numbers, addresses, medical record numbers and health insurance details.

According to the breach notification posted on the company’s website, the attack was discovered on November 25, 2014. A group of user’s accounts were compromised after they received and responded to phishing emails in the belief that they were legitimate. Hackers were subsequently able to gain access to the email accounts with the information they were provided.

Patients have now been sent notification letters to alert them to the breach. All patients that receive a breach notification letter are advised to check Explanation of Benefits (EoB) statements from their health insurers, as insurance data was compromised in the attack. Criminals are able to use this information to make false insurance claims, and it is the victims of the crime that are ultimately required to foot the bill.

The Boston-based healthcare provider has set up a hotline where worried patients can gain additional information and have any questions answered. The patients affected had visited one of the following hospitals for medical services:

  • Brigham and Women’s Hospital
  • Brigham and Women’s Faulkner Hospital
  • Massachusetts General Hospital
  • North Shore Medical Center
  • Partners Continuing Care
  • Newton-Wellesley Hospital

Potential HIPAA Violation over Breach Notification Letters

Under the Breach Notification Rule, all covered entities are require to report HIPAA breaches – those in which PHI has potentially been exposed – to the Department of Health and Human Services’ Office for Civil Rights. All affected patients must also be notified by mail and alerted to the fact that their PHI was compromised, how the attack occurred and what steps are being taken to mitigate any damage caused and prevent future attacks.

Following the HIPAA breach, Partners Healthcare conducted a full investigation using an external computer forensics expert; however the letter did not state what is being done to prevent future attacks from taking place. While it is unlikely that the OCR would take any action against the healthcare provider for this minor violation of HIPAA Rules, the same may not be true about the time-frame for sending the letters.

The Breach Notification Rule requires covered entities to issue notification letters within 60 days of the discovery of a PHI breach. According to the notice on the Partners website, the letters were not dispatched until April 30, 2015 and patients were advised in the notice that they should receive a letter no later than May 21 if they have been affected. This is almost 6-months after the breach was discovered. There was no indication in the breach notice as to why the letters were delayed.

Delaying the issuing of breach notification letters unnecessarily is a violation of HIPAA Rules, and the OCR has issued fines in the past for similar violations. Partners Healthcare could therefore potentially be issued with a financial penalty of up to $1.5 million for the HIPAA violation; should the OCR decide to take action.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.