It took 14 years for this Massachusetts hospital to detect a data breach

Better late than never?

David bisson
David Bisson

Massachusetts hospital took 14 years to detect breach

It took a Massachusetts hospital 14 years to detect a data breach. To make matters worse, even after all that time – it wasn’t the medical center itself that discovered the incident.

Tewksbury Hospital learned of the breach in the spring of 2017. It hasn’t found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals’ personal and medical information.

As the state-run institution explains in a statement:

“In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.”

What, no access controls? And why did the patient suspect someone had accessed their EMR inappropriately? Is this something that the hospital should have detected on its own, that, is, prior to receiving a complaint from the victim?

There aren’t any details that help answer those questions.

Sign up to our free newsletter.
Security news, advice, and tips.

In terms of reputational impact from a security incident, very little is worse than first learning about a breach from an affected individual. Taking years to discover the event certainly magnifies the perception that the organization could have been more on the ball. But more than a decade? That’s a tough pill to swallow.

It turns out Tewksbury took 14 years to discover the event. Not surprisingly, this length of time limits the medical center’s ability to reach out to the some 1,100 patients whose personal and medical data the breach might have exposed. As it goes on to describe in its statement:

“Individuals who may be affected include people who were patients at Tewksbury Hospital from 2003 through May 2017. We have provided written notice to affected patients for whom the hospital has current contact information. We are also posting this substitute notice in a good faith attempt to notify affected individuals for whom we have insufficient or out-of-date contact information that precludes written notification, or to whom we are otherwise not able to provide written notice.”

To its credit, the hospital is taking this incident mighty seriously now. After firing the employee, Tewksbury is now reviewing is policies regarding employee access to electronic medical records. Hopefully, this will lead to the implementation of access controls in the near future.

In the meantime, those individuals who feel they might be affected should watch their credit reports carefully for suspicious activity. Should they spot any unauthorized transactions, they should request a new payment card from their card issuer. They should also consider placing a security freeze on their credit file.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “It took 14 years for this Massachusetts hospital to detect a data breach”

  1. Brett Coburn

    Based on the article, I think access control is only a part of the issue. Granting staff members, especially clinical staff, access to patients records is necessary and usually hard to restrict by patient as many clinical staff share cases and shifts. However, accessing a patient record without a good reason is definitely an unauthorized disclosure breach or privacy breach. Hospitals and other healthcare entities need to have a process to proactively audit access to records to guard against the activity described in the article. This called out directly in the HIPAA Security Rule 164.306(3) and 164.308(a)(1)(ii)(2).

  2. Mariya Kozlova

    If this is the same incident I'm thinking of… a former employee's access to the system(s) was never revoked (years prior, during separation), which makes this so much more egregious. This individual had been accessing data since.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.