Boston-based Massachusetts General Hospital has begun notifying 10,000 patients that their personal health information may have been exposed in a data breach, according to the Boston Globe. An unauthorized third party gained access to two computer programs used by researchers in the hospital’s neurology department in June. Massachusetts General Hospital took immediate steps to secure the programs. Patient data that may have been affected included names, dates of birth, medical record numbers and medical histories. No Social Security numbers or financial information were affected.
Another case of data breach dejavu. A quick web search of the phrase “MGH Data Breach” via Google returns results for the data breach just announced, as well as a previous data breach on Massachusetts General Hospital that happened May 2016.
The initial report about the recently announced data breach states that the sensitive data was located in databases used by MGH researchers. The 2016 data breach involved sensitive data stored by a 3rd party vendor. What is common about both data breaches is that unauthorized individuals gained access to sensitive data.
What is positive about the recent data breach is that the sensitive data exposed did not include SSNs, Insurance info, or financial info. This helps reduce the impact of exposed data on the 9,900+ victims.
The decision to not include data in a database is a good decision from a data privacy point of view. Should the database get exposed, or should unauthorized individuals gain access, there would be no sensitive data to worry about.
However, many research and analytical projects require more data, including personal data, in order to get more accurate research test results. Protecting sensitive data within the database, requires more than user or identity management techniques. One way to include more sensitive data in the database, yet retain data privacy, is to anonymize or pseudonymize the sensitive data that is written into databases. Researchers can still run analytics on the anonymized data, without putting personal info at risk.
If the terminologies – anonymize and pseudonymize – are vague, check out GDPR and similar data privacy regulations and laws coming out around the world. These terms are used to describe how organizations need to protect sensitive and personal data.
The healthcare industry was victimized by 363 total breaches in 2018, according to findings from the Identity Theft and Resource Center, and as a result nearly 10 million total records were exposed. Hospitals are a prime target for threat actors as patients’ protected health information (PHI) can easily be sold on the dark web and used to commit fraud, access medical care in the victims’ name, and used in highly targeted phishing attacks. PHI also has a much longer shelf life compared to other types of data, like credit cards which can be easily cancelled and rendered useless.
Massachusetts General Hospital joins the ranks of Eye Care Associates, Bayview Dental and Managed Health Services (MHS) of Indiana, as the number of healthcare providers compromised by malicious actors in 2019 continues to grow. It is imperative that healthcare providers leverage security strategies and tools that prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification, to thwart malicious actors that seek unauthorized access to PHI.