Partners Heathcare notifies 2,600 patients after malware attack

Register now

A total of about 2,600 patients may have had medical or personal information compromised in a May 2017 malware attack of Partners Healthcare, which the organization only recently disclosed.

Boston-based Partners detected suspicious activity on May 8, 2017, on its computer network, which turned out to be a sophisticated malware introduced by an unauthorized third party. The incident resulted in prolonged investigation and remediation work, including help from forensic consultants.

The patients are being notified about the breach, and an undisclosed number of patients whose financial data or Social Security numbers may be at risk are being offered one year of credit monitoring and identity theft protection.

Other information that was potentially compromised included names, dates of service, procedure types, diagnoses or medications. There was no access to the organization’s electronic medical record system.

“Based on Partners’ investigation, the malware may have resulted in unauthorized access to certain data resulting from user activity on affected computers from May 8, 2017, to May 17, 2017,” the organization reported in an announcement.

Also See: 7 breach notification processes that must be followed

“As impacted computers were identified, Partners implemented aggressive containment measures to mitigate further impact,” the statement noted. “As part of its ongoing review, Partners became aware on July 11, 2017, of data that appeared to possibly involve personal and health information. The impacted data was not in any specific format and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

Partners’ analysis of the attack was competed in December.

Executives of the health system contend that the organization is not aware of any misuse of patient information. Because Partners may have outdated contact information for some patients, it has set up a toll-free number for individuals who may want to know if they are affected; the number will be active for 90 days.

All patients also received additional information on how to secure protected health information and identity, as well as the need to bring photo ID to any visit to confirm identity.

For reprint and licensing requests for this article, click here.