Two employees of Mass General Brigham located in Boston, MA were terminated because of a privacy breach discovered on April 4, 2024. The health system started an investigation after it found out that the two staff permitted a third person, not an employee of Mass General Brigham, to do a part of their job responsibilities that potentially led to the exposure of the patient’s personal data. The investigation ended on May 28, 2024, and affirmed that the purported offenses happened from February 26, 2024 to April 4, 2024.
As per the Health Insurance Portability and Accountability Act (HIPAA), covered entities must secure protected health information (PHI) all the time and prevent exposures of PHI to unauthorized persons except if valid consent was received from the persons involved beforehand. Mass General Brigham implemented work and privacy guidelines and stated that the employees violated those policies thus they were terminated from work immediately. Mass General Brigham didn’t mention the connection between the past workers and the third person.
Based on the investigation, the potentially breached information included names, dates of birth, addresses, email addresses, medical record numbers, telephone numbers, and medical insurance policy numbers. The third-party could have also accessed some clinical data, such as details regarding their appointments or admissions to Mass General Brigham services, such as the purpose for the consultation, medical diagnosis, date of visit/admission, and location. A number of the impacted patients likewise had their Social Security numbers and/or financial data compromised, and several guarantor data could likewise have been exposed. Mass General Brigham stated that the financial account number of the impacted people was not exposed.
Mass General Brigham stated that aside from firing the employees, the health system also took steps to avoid the same occurrences down the road. The employees were given additional HIPAA training and the procedures for its security notification system were enhanced. As a safety measure against fraud and identity theft, the impacted patients were provided free credit monitoring and identity theft protection services via IDX for 24 months.
The HHS’ Office for Civil Rights (OCR) received two unauthorized access/disclosure incidents on June 28, 2024. Mass General Brigham Health Plan impacted 3,659 persons while Mass General Brigham Incorporated impacted 655 persons.
