Hacker hits research computers at Mass General, puts data of 9,000 at risk

An unauthorized person accessed two computers supporting research at Massachusetts General Hospital’s Department of Neurology, potentially affecting the information of about 9,900 individuals.

An investigation found the unauthorized person had access to databases containing research data from June 10 to 16. Substantial amounts of data were compromised, with at least 20 types of protected health information exposed. However, sensitive data—such as Social Security numbers and insurance and financial information—were not involved.

Consequently, the perpetrator likely was disappointed, contends David Holtzman, contends an executive advisor at data security firm CynergisTek.

Mass-General-2-CROP.jpg

Research data probably wasn’t what the offender was looking for, contends Holtzman, a former official in the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules. He believes the hacker probably wanted higher value data that could be used to commit identity theft and identity fraud.

Still, Boston-based Massachusetts General Hospital has a breach on its hands to clean up, and the incident should serve as a warning for providers to look at their vulnerabilities, with special attention to be paid to contractors working in the organization, Holtzman advises.

For instance, many providers do not ask prospective contractors about their breach history. If a contractor has a breach in the past and did not sufficiently increase its security, that breach still exists and will generally affect other organizations.

“A breach is just a window into the possibility that the incident could possibly affect others,” Holtzman contends. “The lesson for healthcare providers is to take a risk-based approach to selection and management of vendors who maintain protected health information. You have to look at the security practices and processes of these vendors.”

Vendors accounted for only 9 percent of large data breaches reported to the Office for Civil Rights during the first half of 2019, Holtzman notes, but the vendor breaches affected 74 percent of all individuals whose information was disclosed in all breaches reported to OCR. “The bottom line is that the covered entity is always left holding the bag,” he concludes.

For reprint and licensing requests for this article, click here.