Disclosure of the breach was delayed for more than four months.
Fingers are pointing at a third-party vendor as the culpable party behind the exposure of personally identifiable information of 4,300 patients of Massachusetts General Hospital (MGH).
On Feb. 8, an unauthorized individual accessed the network of Patterson Dental Supply, a division of Patterson Companies, a Saint Paul, Minn.-based medical supplies conglomerate, which services MGH with the software used in managing dental practice information.
The purloined data included patients’ names, dates of birth, Social Security numbers and, in some cases, the particulars of dental appointments.
Because law enforcement forbid disclosure while an investigation proceeded, it wasn’t until May 26 that MGH received permission to begin informing those affected. Disclosure to patients was further delayed owing to the facility needing time to figure out which patients were at risk, according to a hospital spokesman. It wasn’t until June 29 that letters began going out. A call center also was set up to deal with inquiries.
MGH said Patterson Dental Supply has upgraded the security of its systems used in storing patients’ dental files.
“This is an instance where a third party has compromised the security of their partner,” Jack Danahy, CTO and co-founder of Barkly, said in a statement emailed to SCMagazine.com. “In environments where the information sharing is so important, and so intimate, organizations have a very real responsibility to consider the potential impact of any breach of their own security.”
In an emailed statement to SCMagazine.com, Casey Ellis, founder and CEO of Bugcrowd, added that healthcare continues to be targeted by state and cybercriminal attackers. Healthcare networks are particularly vulnerable, he wrote, because of the large number of legacy systems in use at these facilities and the critical need to keep these systems online at all times. “It’s a shame this happened, but it highlights the need for simple, clear solutions to help the healthcare industry identify its vulnerabilities and start working to rememdiate them.”
Hospitals and medical organizations are good targets because they have valuable stores of patient information which can be sold for a tidy profit, Israel Levy, CEO of Bufferzone, told SCMagazine.com in an emailed statement. Thanks to mandatory regulations, hospitals are unquestionably making an effort to protect patient data, he wrote, but that’s not as easy as it sounds because hospitals are part of a large and complex ecosystem.
“To prevent breaches, hospitals must take measures to separate their patient data and their medical equipment from outside access using approaches like virtual containers and network segregation,” Levy said.
This is not MGH’s first data breach. Last July, an employee inadvertently sent an email containing personal information of 648 patients to the wrong email address.