Partners HealthCare System is making contact with around 2,600 patients to advise them that, potentially, some of their protected health information (PHI) may have been accessed.
Even though HIPAA covered bodies have up to 60 days after the identification of a breach to submit an incident report to OCR (if the breach affects 500 or more individuals) and warn breach victims, this incident happened and was noticed in May 2017. The slowness in reporting the incident was because of the difficulty identifying patient data which was jumbled together with computer code.
This HIPAA breach happened due to a malware incident that was identified on May 8, 2017 when the healthcare system’s intrusion monitoring system found suspicious activity occurring. Swift action was taken to obstruct the malware and third-party forensics consultants were contracted in to help with the investigation.
The investigators discovered that this was not a targeted attack on Partners HealthCare, and the malware did not allow the attackers to access its electronic medical record system. However, the investigation did show access to certain data was possible due to user activity on computers affected with the malware. That access was open for 11 days between May 8 and May 17, 2017.
As specific computers were identified as being affected by the malware attack, action was completed to contain those devices and stop further access to data. However, it took until July 11, 2017 before it was confirmed that the attackers may have gained access to the PHI of some of its patients, and another five months to determine all of the patients that had been affected by the malware attack.
In order to ascertain which patients had been affected, and the variety of data that had been in danger, a manual data analysis was required. Partners HealthCare reports that it was not easy to identify exposed data as it “was not in any specific format, and it was jumbled together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”
The sort of data that could possibly have been accessed included names, service dates, and limited clinical idetails such as diagnoses, procedure variety, and medications. Some patients also had their Social Security and financial information accessed.
The malware attack has lead to Partners HealthCare enhancing its security defenses and new controls and procedures have now been adapted.
The format of the exposed information means any hacker would similarly have had difficulty extracting details. Partners HealthCare says no reports have been filed to suggest there has been any misuse of data.
The Department of Health and Human Services’ Office for Civil Rights (OCR) may look into this HIPAA violation. Partners HealthCare was aware in July that PHI was possibly compromised, and it should have been obvious during the following five months that was, indeed, the case. Additionally, Partners HealthCare stated in its breach notice that the data analysis was finished in December, yet it took another two months before notification alerts were issued to affected patients.