It has been a bad month for news of hacks in the healthcare industry. First, we learned of Chinese hacking groups targeting medical data. Now, we find out that Massachusetts General Hospital had 9,900 research patient records stolen.
Records of nearly 10,000 research patients on two computers used by Neurology researchers at Mass General were accessed by an “unauthorized third-party” between the 10th and 16th of June 2019.
The hospital noted that Social Security numbers and financial information were not part of the hack. However, the stolen data includes names, birth dates, medical record numbers, and medical histories. For deceased research participants, the research data included the date of death, and, when available, summary autopsy results.
“As soon as MGH discovered this incident, it took steps to prevent further unauthorized access and restore the affected research computer applications and databases,” the hospital said in a statement. “MGH also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution. MGH continues to review and enhance the security processes in place for its research programs.”
Mass General, a teaching hospital for Harvard Medical School with almost all its physicians being med school faculty, is ranked #2 in U.S. News & World Report’s Best Hospitals Honor Roll. Beyond the obvious HIPPA violations involved in any such patient data security breach, the targeting of research information stores from such a prestigious institution may be particularly concerning when considered in light of a recent FireEye cybersecurity researcher report claiming that medical research data is being continually targeted by Chinese state-sponsored attackers.
All that aside, state-sponsored hackers are by no means the only possible culprits of this newest data breach. There have also been speculative suggestions, that this data may have been stolen by an outside provider as was the case in 2016, when, as HealthcareITNews reported, a previous breach at the same hospital involved data stored by a third-party vendor.
Regardless of the activities by government actors, medical-related data has value for cybercriminals. Breached data is widely available on the Dark Web because this kind of personal medical information can be used in identity theft, blackmail, and to build trust as part of phishing scams.
Header Image by graysky.