Mass General Hospital Suffers Patient Records Breach

US/North America News Reporter, Infosecurity Magazine

30 Jun 2016

One of the nation’s top hospitals, Massachusetts General (MGH), has suffered a data breach of information related to its dental practice patients.

That information includes patient name, date of birth and Social Security number and, in some instances, may have also included date and type of dental appointment, dental provider name and medical record number. MGH has known about the breach since February, but law enforcement asked it to hold off on notification until the investigation was concluded. The hospital is now notifying individuals affected—and hasn't said how many of them there are.

The breach wasn’t of MGH internal systems however. Rather, hackers were able to compromise information stored by a third-party vendor, Patterson Dental Supply Inc. (PDSI). It provides software that helps manage dental practice information for various providers, including MGH.

"This is an instance where a third-party party has compromised the security of their partner,” said Jack Danahy, CTO and co-founder of Barkly. “In environments where the information sharing is so important, and so intimate, organizations have a very real responsibility to consider the potential impact of any breach of their own security.”

One of the follow-on effects of this particular breach may be the exposure of other related data losses, he added.

“Patterson Dental is a very successful provider of products supporting dental practices, including software and technology," Danahy said. “There was nothing in the reports to indicate that the breach at Patterson was limited to MGH patients and practices, so there may be more breaches reported in the future.”

The incident also shows a need for modernization in security approaches, according to David Amsler, president and founder of Raytheon Foreground Security.

"As medical records across the globe become digitized, healthcare organizations have increased pressure to enhance cybersecurity practices from stakeholders and strict regulations, including HIPAA and HITECH,” he said. “Despite this pressure, time and time again, healthcare organizations are falling victim to cyber-attacks that are putting patient data at risk. The industry is still feeling the impact from last year’s Anthem breach and the MGH breach is just another example of how healthcare organizations rely too heavily on traditional security strategies. Healthcare organizations must shift from a reactive, 'wait-and-see' approach to a proactive approach and actively hunt for malicious threats to ensure patient data remains safe and secure."