Breach of PHI at Partners HealthCare Affects 2,600 Patients

by | Feb 12, 2018

The protected health information of approximately 2,600 patients of Partners HealthCare System has been sent notifications that their PHI may have been compromised is a HIPAA breach.

Even though health care organizations covered by HIPAA are given 60 days following the identification of a breach to submit a report to the OCR (if the breach affects 500 or more people) and warn breach victims, this incident took place and was discovered in May 2017. The slowness in filling an incident report the incident was explained as being because of the difficulty experienced in identifying patient data which was mixed together with assorted computer code.

The breach was a malware incident that was first noticed internally on May 8, 2017 when  Partners HealthCare System’s intrusion monitoring alarm pointed out suspicious activity. Steps were immediately taken to wipe the malware from and third-party forensics experts were called in to assist with reviewing the incident.

The investigators  revealed that this was not a focused attack on Partners HealthCare, and the malware did not allow the attackers to log onto its electronic medical record system. However, the investigation did identify that logging on obtain specific data was possible due to  of user activity on computers hit with the malware. That access was open for 11 days from May 8-17 last year (2017).

As specific computers are known to have been impacted by the malware attack, measures were taken to contain those devices and prevent additional access to data. However, it was not until July 11, 2017 before it was revealed that the attackers may have gained access to the PHI of some of its patients, and a additional five months to list all of the patients that may have had their PHI impacted due to the malware attack.

In order to list which patients may have been affeced, and the spectrum of data that had been obtained, a manual data analysis was required. Partners HealthCare reports that it was extremely difficult to list exposed data as it “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

The spectrum of information that may  have been accessed included names, service dates, and some clinical information including diagnoses, procedure types, and medications. Some patients also had their Social Security and financial information obtained.

In light of the malware attack, Partners HealthCare has begun to improve its security defenses and new controls and procedures have now been implemented.

The make-up of the exposed data means any hacker would also have had extreme difficulty in downloading information. Partners HealthCare has revealed that it has received no official reports or indication to imply there has been any improper use of data.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy