PHI of 10,000 Massachusetts General Hospital Patients Exposed Due to Data Breach

Massachusetts General Hospital (MGH) discovered recently the unauthorized access of the computer applications utilized by its Department of Neurology researchers. The person behind the breach could potentially access the protected health information (PHI) of around 10,000 patients.

MGH identified the breach on June 24, 2019 and quickly blocked the hacker’s access to the software and databases. A forensic investigator began looking into the incident to know the nature and extent of the breach. It was confirmed that two applications were accessed without proper authorization from June 10 to June 16, 2019.

Through the applications, the unauthorized person could potentially view information stored in databases associated with certain neurology research reports. The types of exposed data differed from one patient to another and may have included names, age, marital status, birth dates, sex, race, ethnicity, consultation and testing dates, medical record numbers, diagnoses, treatment data, biomarkers, genetic data, evaluations and testing results, and other study data, which include time of death and autopsy results. Highly sensitive data including Social Security numbers, financial data, and medical insurance details were not compromised.

Though the investigators considered the nature of data exposed, MGH believes that affected persons don’t have to do anything to secure their identities. MGH will review its security processes with regard to research programs and will try to strengthen its security to avoid the same breaches in the long run.

Sonoma Valley Hospital Web Page Hack Prompts Change in Domain

Sonoma Valley Hospital located in California had to give up its three-letter domain name right after hackers accessed and controlled its domain.

The attack happened on August 6. Hackers accessed its domain and prevented the hospital from accessing it. The hospital gave a statement that it was impossible to recover the domain so it decided to have a new domain.

The new domain name,, already has Internet connectivity and email accounts system. Patients were asked to update their contact information for the hospital since messages sent to email addresses on behalf of the old domain were not obtained.

There was no compromise of patient data in the attack, yet it does not necessarily follow that patients aren’t vulnerable. The persons who currently control the domain name can use it to launch a phishing attack on Sonoma Valley Hospital patients.

The hospital states that the impact of the domain theft can’t be over-emphasized. The hospital needs to change all published stuff, which includes business cards, advertising material, letterheads, and branding.

About Christine Garcia 1289 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at