Partners HealthCare System, Inc., a Massachusetts-based network of hospital and medical centers including Brigham and Women’s Hospital and Massachusetts General Hospital, announced that it experienced a security breach due to some employees being tricked by phishing emails.
Partners said it learned about the emails on November 25, 2014, took steps to secure the affected email accounts, and contacted law enforcement officials.
“Responding to the ‘phishing’ emails created an opportunity for unauthorized access to the workforce members’ email accounts within the Partners HealthCare network,” stated the network on its website. “Partners conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers, and, in some instances, Social Security numbers, and some of our patients’ clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.”
Partners noted that the attack did not compromise its electronic medical records system and the investigation revealed no indication that any of the patient information was misused. The network began notifying affected customers as of April 30, 2015, and recommended that they keep track of their explanation of benefits statements from their health insurer to ensure security.
Massachusetts’ data breach notification law allows for the delay in notification for cooperation with law enforcement investigations and requires only that breached companies notify customers “as soon as practicable and without unreasonable delay.”
“To help prevent something like this from happening in the future, we have re-enforced workforce member education regarding “phishing” emails and are enhancing our existing technical safeguards to protect patient information,” stated Partners.