Mass. General breach exposes private info on 9,900 in research programs

A data breach in the neurology department of Massachusetts General Hospital (MGH) exposed private data, including genetic information, on 9,900 people participating in research programs, the hospital said, placing the blame on an “unauthorized third party” who gained access between June 10 and June 16.

The hospital was quick to point out that the research data did not include any study participant’s Social Security Number, insurance information, or any financial information” or involve its medical records system. But according to Dan Tuchler, CMO at SecurityFirst, the breach is still “troubling.”

“Medical information, including medical history, diagnoses and even genetic information, have been compromised,” said Tuchler. “We don’t have much experience yet in what kind of lasting damage can be caused with this very personal info, but this is surely going to grow in the future.”

He said the intrusion “was caused by computer applications used in neurological studies, which would likely be very cutting-edge programs developed by sophisticated computer experts,” but pointed out that “without careful attention to security best practices” even those programs could be vulnerable.

“In fact there are usually tighter controls on basic business programs that there are on research programs,” said Tuchler.

The nature of the breach raises the question as to whether Mass General “outsourced the data or the research to a third party, perhaps to another country, thus also outsourcing their security,” said Lucy Security CEO Colin Bastable. “The medical industry was the first to be phished, over 20 years ago, and it still ‘leads the way’ in data incontinence.”

It’s not the first breach that Mass General has experienced. In early 2016, an unauthorized individual accessed the network of Patterson Dental Supply, a division of Patterson Companies, a Saint Paul, Minn.-based medical supplies conglomerate, which services MGH with the software used in managing dental practice information, and exposed the PII of 4,300 of the hospital’s patients. The purloined data included patients’ names, dates of birth, Social Security numbers and, in some cases, the particulars of dental appointments.

A year-earlier breach – this time at the hands of an MGH employee who inadvertently sent an email containing personal information to the wrong email address – exposed the names, lab results and Social Security numbers of 648 patients.

“Another case of data breach déjà vu,” said Jonathan Deveaux, head of enterprise data protection at comforte AG, noting the commonality between the 2016 and 2019 breaches “is that unauthorized individuals gained access to sensitive data.”

The latest incident, though, didn’t include SSNs, insurance information or financial data, which Deveaux cites as a plus. “The decision to not include data in a database is a good decision from a data privacy point of view,” he said. “Should the database get exposed, or should unauthorized individuals gain access, there would be no sensitive data to worry about.”

Whether Mass. General is dealing with an advanced, coordinated attack or overprovisioned access rights to a data resource, neither “is an easy one to address,” said STEALTHbits Technologies CMO Adam Laub. “Sophisticated attackers consistently circumvent security controls with high degrees of success and assessing, reviewing, and adjusting access rights across all data resources – especially in organizations like health care institutions that house sensitive data in virtually every corner of their networks – requires tremendous discipline and commitment monetarily, culturally, and otherwise.”

Mass. General said as soon as it discovered the breach on June 24, “it took steps to prevent further unauthorized access and restore the affected research computer applications and databases,” and also tapped “a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution.” In the wake of the incident, the hospital said that it “continues to review and enhance the security processes in place for its research programs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.