Data breach of nearly 10,000 people at Massachusetts General

“Another case of data breach déjà vu,” said one of four security experts who chime in.
By Bill Siwicki
01:30 PM
Data breach of nearly 10,000 people at Massachusetts General

Massachusetts General Hospital reported late August 22 a neurology department data breach that has exposed protected health information (PHI) of around 10,000 people.

The breach came in June in two applications researchers use and was performed by an unauthorized third party, the prominent hospital said.

Names, dates of birth, medical record numbers, medical histories

Exposed information includes names, dates of birth, medical record numbers and medical histories of people in select research programs. Social Security numbers and financial data were not breached, the hospital reported.

“As soon as MGH discovered this incident, it took steps to prevent further unauthorized access,” Michael Morrison, hospital spokesman, said. “MGH also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution.”

People who are concerned about their information or who have questions can call Massachusetts General Hospital at a special number, (866) 904-6219.

Data breach déjà vu

“Another case of data breach déjà vu,” said Jonathan Deveaux, head of enterprise data protection at security firm comforte AG. “A quick web search of the phrase ‘MGH Data Breach’ via Google returns results for the data breach just announced, as well as a previous data breach on Massachusetts General Hospital that happened May 2016.”

The initial report about the recently announced data breach states that the sensitive data was located in databases used by MGH researchers, he added. The 2016 data breach involved sensitive data stored by a third-party vendor, he said.

"What is positive about the recent data breach is that the sensitive data exposed did not include SSNs, insurance info or financial info. This helps reduce the impact of exposed data on the 9,900-plus victims."

Jonathan Deveaux, comforte AG

“What is common about both data breaches is that unauthorized individuals gained access to sensitive data,” he stated. “What is positive about the recent data breach is that the sensitive data exposed did not include SSNs, insurance info or financial info. This helps reduce the impact of exposed data on the 9,900-plus victims.”

Healthcare still ‘leads the way’ in data incontinence

This makes one wonder if Massachusetts General Hospital outsourced the data or the research to a third party, perhaps to another country, thus also outsourcing its security, said Colin Bastable, CEO of Lucy Security.

"The medical industry was the first to be phished, over 20 years ago, and it still 'leads the way' in data incontinence."

Colin Bastable, Lucy Security

“The medical industry was the first to be phished, over 20 years ago, and it still ‘leads the way’ in data incontinence,” he added. “At this rate, data breach insurance premiums will rival medical malpractice premiums – all costs being borne by paying patients eventually.”

This breach is troubling, said Dan Tuchler, chief marketing officer at SecurityFirst.

“Medical information, including medical history, diagnoses and even genetic information, have been compromised,” he said. “We don’t have much experience yet in what kind of lasting damage can be caused with this very personal info, but this is surely going to grow in the future. It makes sense to apply best practices to safeguard data, whether it’s financial or very personal medical data.”

Careful attention to security best practices

This breach was caused by computer applications used in neurological studies, which would likely be very cutting-edge programs developed by sophisticated computer experts. But without careful attention to security best practices they can be vulnerable, Tuchler explained.

"This breach shows that the security of every program must be taken very seriously, to protect private data."

Dan Tuchler, SecurityFirst

“In fact, there are usually tighter controls on basic business programs than there are on research programs,” he contended. “But this breach shows that the security of every program must be taken very seriously, to protect private data.”

Unauthorized access is a common theme across most breach incidences; however, much like there is a difference between a burglar disarming one’s home security system and leaving one’s front door wide open, there is a distinction to be drawn between an advanced, coordinated attack and overprovisioned access rights to a data resource, said Adam Laub, chief marketing officer at STEALTHbits Technologies.

“Either way, neither situation is an easy one to address,” he said. “Sophisticated attackers consistently circumvent security controls with high degrees of success, and assessing, reviewing and adjusting access rights across all data resources – especially in organizations like healthcare institutions that house sensitive data in virtually every corner of their networks – require tremendous discipline and commitment monetarily, culturally and otherwise.”

The things most worth doing

However, those things that are most worth doing are often the hardest – or at least they are perceived to be, he added.

"There are pragmatic approaches organizations can adopt to mitigate risks that lead to unauthorized data access and attackers’ ability to successfully elude detection."

Adam Laub, STEALTHbits Technologies

“Fortunately, there are pragmatic approaches organizations can adopt to mitigate risks that lead to unauthorized data access and attackers’ ability to successfully elude detection,” he said. “Concepts such as least privilege access models across shared data repositories, removal of ‘Standing Privileges’ for administrative accounts across systems and applications, and focus on authentication-based attack vectors that attackers use to impersonate users, escalate privileges and achieve persistence can have immediate and long-lasting impact on any organization’s security posture.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Healthcare IT News is a HIMSS Media publication.