2,600 Patients of Partners HealthCare Notified of May 2017 Breach

by | Feb 8, 2018

Partners HealthCare System is making contact with around 2,600 patients to advise them that, potentially, some of their protected health information (PHI) may have been accessed.

Even though HIPAA covered bodies have up to 60 days after the identification of a breach to submit an incident report to OCR (if the breach affects 500 or more individuals) and warn breach victims, this incident happened and was noticed in May 2017. The slowness in reporting the incident was because of the difficulty identifying patient data which was jumbled together with computer code.

This HIPAA breach happened due to a malware incident that was identified on May 8, 2017 when the healthcare system’s intrusion monitoring system found suspicious activity occurring. Swift action was taken to obstruct the malware and third-party forensics consultants were contracted in to help with the investigation.

The investigators discovered that this was not a targeted attack on Partners HealthCare, and the malware did not allow the attackers to access its electronic medical record system. However, the investigation did show access to certain data was possible due to user activity on computers affected with the malware. That access was open for 11 days between May 8 and May 17, 2017.

As specific computers were identified as being affected by the malware attack, action was completed to contain those devices and stop further access to data. However, it took until July 11, 2017 before it was confirmed that the attackers may have gained access to the PHI of some of its patients, and another five months to determine all of the patients that had been affected by the malware attack.

In order to ascertain which patients had been affected, and the variety of data that had been in danger, a manual data analysis was required. Partners HealthCare reports that it was not easy to identify exposed data as it “was not in any specific format, and it was jumbled together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

The sort of data that could possibly have been accessed included names, service dates, and limited clinical idetails such as diagnoses, procedure variety, and medications. Some patients also had their Social Security and financial information accessed.

The malware attack has lead to Partners HealthCare enhancing its security defenses and new controls and procedures have now been adapted.

The format of the exposed information means any hacker would similarly have had difficulty extracting details. Partners HealthCare says no reports have been filed to suggest there has been any misuse of data.

The Department of Health and Human Services’ Office for Civil Rights (OCR) may look into this HIPAA violation. Partners HealthCare was aware in July that PHI was possibly compromised, and it should have been obvious during the following five months that was, indeed, the case. Additionally, Partners HealthCare stated in its breach notice that the data analysis was finished in December, yet it took another two months before notification alerts were issued to affected patients.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy