A Partners HealthCare HIPAA breach has been reported in which 3,300 patient health records were potentially viewed and copied by a hacker, with the healthcare provider also potentially having caused a breach notification violation.
The HIPAA breach occurred when Partners HealthCare workforce members received a phishing email to which some responded exposing their login details. Partners confirmed that the breach was contained to email accounts, and its patient database was not compromised in the incident.
However the email accounts did contain Protected Health Information (PHI) and Personally Identifiable Information (PII) including some Social Security numbers. Clinical information was also present and included medical appointments, diagnoses and treatments. Medical record numbers and health insurance details along with names, addresses, email addresses and contact telephone numbers were also exposed.
The healthcare provider posted a breach notification letter on its website and it is in the process of sending breach notification letters to all individuals affected by the breach. The breach was reported to have been discovered on November 25, 2014, and action was immediately taken to secure the email account to prevent any PHI from being copied. It is not clear whether the hacker had managed to view or copy data during the time he or she had access.
Partners HealthCare was not able to discover any evidence that data had been copied or used for malicious purposes. However, since this is a possibility, all affected individuals have been advised to check their Explanation of Benefits (EoB) statements and monitor their accounts for any sign of fraudulent activity.
The HIPAA Breach Notification Rule requires all covered entities to notify the Office for Civil Rights of a data breach within 60 days of discovery, and patients must also be sent breach notification letters within this time frame. Partners HealthCare appears to have violated HIPAA rules by delaying the issuing of notification letters for more than 5 months after the breach was discovered.
The OCR may take an interest and conduct an investigation, and the healthcare provider could fined for not advising patients of the breach sooner, especially considering the extent of PHI exposed in the incident.
Phishing Attacks on the Rise
This HIPAA breach is one of a number of phishing campaigns that have successfully allowed hackers to gain access to healthcare data. The Anthem data breach – which exposed 78.8 million records – was also caused by a phishing campaign. Hackers invest considerable money and resources into creating highly plausible emails, often very closely mimicking those of genuine IT service providers.
In order to reduce the risk of accidental disclosure of login details, staff should receive training on how to identify phishing emails, and be advised to contact the IT department immediately if they are asked to reveal their login credentials via email.