2,600 clients of Partners HealthCare System are being warned that some of their protected health information may have been compromised in a May 2017 breach.
While HIPAA covered organizations are given a time period of up to 60 days following the discovery of a breach to file an incident report to OCR (if the breach impacts 500 or more people) and notify those affected by the violation, this incident occurred and was found in May 2017. The lateness in reporting the incident was explained as beign due to difficulty in identifying patient data which was mixed with computer code.
The breach was carried out thanks to malware being place on the network that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system reported suspicious activity. Quick action was employed to block the malware and external forensics consultants were called in to help with the investigation.
The external firm concluded that this was not a dedicated campaign against Partners HealthCare, and the malware did not supply the attackers with access to its electronic medical record system. However, the investigation did uncover that access to certain data was possible as a consequence of user activity on computers infected with the malware in question. That access was left open for a duration of 11 days between May 8 and May 17, 2017.
As the affected computers were identified as being hit the malware attack, steps were taken to contain those devices and obstruct further access to data. However, it was not until July 11, 2017 before it was confirmed that the hackers may have gained access to the protected health information of some of its clients, and a further five months to identify all of the patients that had been impacted by the malware attack.
In order to see which clients had been impacted, and the range of data that had been exposed, a manual data analysis was required. Partners HealthCare reports that it was difficult to uncover exposed data as it “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other information, making it very difficult to read or decipher.”
The types of data and details that could have been obtained include names, service dates, and limited clinical information such as diagnoses, procedure types, and prescriptions. Some clients also had their Social Security and financial information obtained.
The malware attack has lead to Partners HealthCare strengthening its security defenses and new controls and procedures have now been implemented.
Due to the format of the exposed data, any hacker would similarly have had difficulty obtaining information. Partners HealthCare says it has received no official reports to indicate there has been any misuse of information.