News Feature | May 7, 2015

Lessons From The Partners HealthCare Breach For Your IT Clients

By Megan Williams, contributing writer

Lessons for IT customers from the Partners data breach

A November breach of more than 3,000 patients’ information has left Partners HealthCare criticized and the latest star in the drama of healthcare data breaches.

The Breach

ABC News reported that the Boston-based nonprofit healthcare system notified about 3,300 patients of a security breach. Partners revealed that they became aware of the breach when they learned a group of their workers had received phishing emails to which they had replied with information. Some emails contained patient information (names, addresses, social security numbers, telephone numbers, dates of birth, and clinical information ranging from diagnoses to treatment and insurance information.)

While there is no evidence that the information has been misused, Partners has contacted law enforcement about the breach involving patients at Massachusetts General Hospital, Brigham and Women’s Hospital, and several other Partners affiliates.

The Criticism

Much of the industry has responded saying that Partners should have known better.

While much of the world of healthcare is still underprepared for a breach, it is generally understood that mailing sensitive patient information using unprotected methods is an unsafe practice. Articles like this one from CSO Online charge Partners with negligence and response times that were too slow.

Partners has pledged to better educate their employees about fishing scams, but experts are saying that the organization should not be using email to transmit sensitive information in the first place.

Amy Abatangle, EVP and General Manager at Untangle (a network security vendor) weighed in,”Putting patient data into emails introduces elements of risk to both privacy and security. It is a very questionable practice, outside of the phishing breach. Scammers can be very clever when it comes to getting employees to reveal credentials or even seemingly harmless information which can then be used to gain access to vulnerable systems.”

The FBI Navigates The Dark Web

Partners is aware of the risk to patient information. VP and CIO, James Noga in an article with NewsNet 5, reiterated the fact that medical records can go for $50 on dark web bidding platforms and that $12 billion was lost in healthcare fraud-related crimes last year (Read predictions for 2015).

These circumstances have left the FBI countering with measures like “cyber task forces” with regional offices to prevent further loss, and recruiting young, digitally native talent. Partners has taken similar action with a focus on tapping college students to improve their security standards.