Massachusetts General Hospital says it is trying to contact 9,900 individuals who were either patients or participants in neurological studies about a third-party privacy breach that occurred in June for a six-day period. Information accessed included medical record numbers, medical history, participant’s names, demographic information, and genetic information. Hospital representatives say law enforcement has been notified, and an investigator is working to beef up security for the breached databases.
But the damage is done, and has been done before.
Hospitals and health systems are operating in the Wild West when it comes to consumer protection, bypassing precautionary measures but facing only financial slaps on the wrist for data breaches. The Boston Globe has a not-complete list of some similar incidents with Cambridge Health Alliance, McLean Hospital in Belmont, and even another MGH breach in 2016 that left 4,600 dental patients at risk.
There are long-standing consumer protection rules that focus on data breaches. Those involve the storage, maintenance, processing and communication of data, who has access to it, and how it is destroyed.
When it comes to health care data, patients are protected by a blanket of regulations. There is the Consumer Protection Act, Massachusetts Data Security Law, and Health Insurance Portability and Accountability Act, which hold businesses accountable when they fail to properly secure individuals’ data.
There is also Attorney General Maura Healey’s Data Breach Reporting Online Portal, which businesses can use to provide notice of a breach to her office.
But despite the bevy of regulations, hospital after bank (hello, Capital One) after credit reporting agency (looking at you, Equifax) have exposed billions of personal records.
At the hospitals that dot the state from Pittsfield to Martha’s Vineyard, the concern is particularly acute.
Often, a hospital with a data breach will be slapped with a lawsuit, and fine for each violation of the consumer policy. The state Office of Consumer Affairs and Business Regulation (OCABR), is tasked with helping businesses seeking to report a data breach.
Depending on who knew what, and when, a hospital may be sued by Healey, as in the 2018 case where UMass Memorial Medical Group and UMass Memorial Medical Center Inc. paid a settlement of $230,000 to resolve claims concerning data breaches exposing information of more than 15,000 patients. UMass Memorial was required to hire a third-party firm to review its data policies and procedures, reporting back to Healey’s office.
Emerson Hospital in Concord had to send letters to more than 6,000 patients just a few months ago alerting them of a cybersecurity attack almost a year before. In that case, a company that helped the hospital collect payments sent patient files to an unauthorized third party. You would think that paying the high price of Massachusetts health care would at least mean that your information could be secure.
While OCABR may be willing to dole out advice to help businesses report breaches, and help consumers to deal with them, you have to wonder if there are further preventive measures that can be taken. You can have all the regulations in the world, but if they have no teeth, can they really be effective? Could something like yearly third-party reviews of hospitals’ security systems be worth considering?
There are no less than five bills pending on Beacon Hill involving data breach notifications, and at least one involving electronic health records.
Nationwide, health care data breaches hit a record high in April, when providers, health plans and their business associates reported 44 data breaches to the feds, according to Modern Healthcare. In March and April of this year, over 1.5 million people had their data compromised at health care facilities.