Massachusetts General Hospital (MGH) announced that it learned of a privacy incident involving its Department of Neurology.
MGH said that it learned on 24 June 2019 of an instance where someone gained unauthorized access to databases related to two computer applications used by its Neurology Department for research studies. Upon taking a closer look, MGH determined that the unauthorized party had held the necessary permissions between 10 June and 16 June to access research information stored on those databases. The teaching hospital also went on to place the number of potentially affected individuals at 9,900. Though it did not definitely say what types of data were exposed, Massachusetts General Hospital explained that the incident might have affected research participants' names, demographic details, dates of birth and medical information. The incident might have also exposed deceased participants' dates of death and autopsy results, as well. That being said, MGH found no evidence to suggest the security event exposed individuals' Social Security Numbers, financial information or insurance details. In a notice published on its website, Massachusetts General Hospital summarized what actions it took to respond to the incident:
As soon as MGH discovered this incident, it took steps to prevent further unauthorized access and restore the affected research computer applications and databases. MGH also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution. MGH continues to review and enhance the security processes in place for its research programs.
It also clarified that it was the process of notifying research participants whom the incident might have affected. The event described above follows on the heels of numerous other security incidents at healthcare organizations. In January 2019, for instance, Humana notified customers of a third-party security incident that might have exposed some of their personal information. That was just three months before Navicent Health, a part of Central Georgia Health System, disclosed that it suffered a data breach as the result of a digital attack. These incidents highlight the need for healthcare organizations to protect patient data and keep their networks safe, compliant and available. Learn how Tripwire can help.