Breach of PHI at Partners HealthCare Affects 2,600 Patients

The protected health information of approximately 2,600 patients of Partners HealthCare System has been sent notifications that their PHI may have been compromised is a HIPAA breach.

Even though health care organizations covered by HIPAA are given 60 days following the identification of a breach to submit a report to the OCR (if the breach affects 500 or more people) and warn breach victims, this incident took place and was discovered in May 2017. The slowness in filling an incident report the incident was explained as being because of the difficulty experienced in identifying patient data which was mixed together with assorted computer code.

The breach was a malware incident that was first noticed internally on May 8, 2017 when  Partners HealthCare System’s intrusion monitoring alarm pointed out suspicious activity. Steps were immediately taken to wipe the malware from and third-party forensics experts were called in to assist with reviewing the incident.

The investigators  revealed that this was not a focused attack on Partners HealthCare, and the malware did not allow the attackers to log onto its electronic medical record system. However, the investigation did identify that logging on obtain specific data was possible due to  of user activity on computers hit with the malware. That access was open for 11 days from May 8-17 last year (2017).

As specific computers are known to have been impacted by the malware attack, measures were taken to contain those devices and prevent additional access to data. However, it was not until July 11, 2017 before it was revealed that the attackers may have gained access to the PHI of some of its patients, and a additional five months to list all of the patients that may have had their PHI impacted due to the malware attack.

In order to list which patients may have been affeced, and the spectrum of data that had been obtained, a manual data analysis was required. Partners HealthCare reports that it was extremely difficult to list exposed data as it “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

The spectrum of information that may  have been accessed included names, service dates, and some clinical information including diagnoses, procedure types, and medications. Some patients also had their Social Security and financial information obtained.

In light of the malware attack, Partners HealthCare has begun to improve its security defenses and new controls and procedures have now been implemented.

The make-up of the exposed data means any hacker would also have had extreme difficulty in downloading information. Partners HealthCare has revealed that it has received no official reports or indication to imply there has been any improper use of data.