Partners HealthCare System recently notified 2,600 patients that their protected health information was compromised. The breach incident was discovered in May 2017. Under HIPAA Rules, Partners HealthCare should have notified OCR and the victims up to 60 days from the date of breach discovery (if 500 or more persons were impacted). But there was a delay in reporting because patient data was mixed with computer code making it difficult to decipher.
The breach was due to malware infection. The suspicious activity happened on May 8, 2017 and was detected by the healthcare system’s intrusion monitoring. There was a quick response to block the malware and computer forensics consultants were called in immediately to investigate the incident.
According to the investigation, what happened was not a targeted attack. The attackers did not get access to the electronic medical record system. But certain data was possibly accessed due to user activity on computers with malware infection from May 8 to May 17, 2017. The computer experts identified the infected computers and took action to stop further data access.
It was only on July 11, 2017 that it was confirmed that attackers possibly accessed the protected health information of some patients. It took five months more to identify all the patients whose data was impacted by the malware attack.
The patient information that could have been accessed included names, dates of service, some clinical information e.g. diagnoses, procedures and medications. The Social Security numbers and financial details of some patients were also included.
Partners HealthCare improved its security defenses because of the malware attack. New procedures and security controls are now in place. Since it was difficult to extract information about the exposed data, it is very likely that any attacker would have experienced the same. No report was received regarding any misuse of data from Partners HealthCare.
This breach might catch the interest of the Department of Health and Human Services’ Office for Civil Rights. The possibility of PHI exposure was confirmed in July and the data analysis was completed in December. Yet, the sending of notification letters took another two months. There may be a HIPAA violation somewhere.