Data breaches expose no-teeth regulations

MGH disclosure latest in long string of lapses

Massachusetts General Hospital says it is trying to contact 9,900 individuals who were either patients or participants in neurological studies about a third-party privacy breach that occurred in June for a six-day period. Information accessed included medical record numbers, medical history, participant’s names, demographic information, and genetic information. Hospital representatives say law enforcement has been notified, and an investigator is working to beef up security for the breached databases.

But the damage is done, and has been done before. 

Hospitals and health systems are operating in the Wild West when it comes to consumer protection, bypassing precautionary measures but facing only financial slaps on the wrist for data breaches. The Boston Globe has a not-complete list of some similar incidents with Cambridge Health Alliance, McLean Hospital in Belmont, and even another MGH breach in 2016 that left 4,600 dental patients at risk.

There are long-standing consumer protection rules that focus on data breaches. Those involve the storage, maintenance, processing and communication of data, who has access to it, and how it is destroyed.

When it comes to health care data, patients are protected by a blanket of regulations. There is the Consumer Protection Act, Massachusetts Data Security Law, and Health Insurance Portability and Accountability Act, which hold businesses accountable when they fail to properly secure individuals’ data.

There is also Attorney General Maura Healey’s Data Breach Reporting Online Portal, which businesses can use to provide notice of a breach to her office.

But despite the bevy of regulations, hospital after bank (hello, Capital One) after credit reporting agency (looking at you, Equifax) have exposed billions of personal records.

At the hospitals that dot the state from Pittsfield to Martha’s Vineyard, the concern is particularly acute.

Often, a hospital with a data breach will be slapped with a lawsuit, and fine for each violation of the consumer policy. The state Office of Consumer Affairs and Business Regulation (OCABR), is tasked with helping businesses seeking to report a data breach.

Depending on who knew what, and when, a hospital may be sued by Healey, as in the 2018 case where UMass Memorial Medical Group and UMass Memorial Medical Center Inc. paid a settlement of $230,000 to resolve claims concerning data breaches exposing information of more than 15,000 patients. UMass Memorial was required to hire a third-party firm to review its data policies and procedures, reporting back to Healey’s office.

Emerson Hospital in Concord had to send letters to more than 6,000 patients just a few months ago alerting them of a cybersecurity attack almost a year before. In that case, a company that helped the hospital collect payments sent patient files to an unauthorized third party. You would think that paying the high price of Massachusetts health care would at least mean that your information could be secure.

Meet the Author

Sarah Betancourt

Reporter, CommonWealth magazine

About Sarah Betancourt

Sarah Betancourt is a bilingual journalist reporting across New England. Prior to joining Commonwealth, Sarah was a reporter for The Associated Press in Boston, and a correspondent with The Boston Globe and The Guardian. She has written about immigration, social justice, and health policy for outlets like NBC, The Boston Institute for Nonprofit Journalism, and the New York Law Journal. Sarah has reported stories such as a national look at teacher shortages, how databases are used by police departments to procure information on immigrants, and uncovered the spread of an infectious disease in children at a family detention center. She has covered the State House, local and national politics, crime and general assignment.

Sarah received a 2018 Investigative Reporters and Editors Award for her role in the ProPublica/NPR story, “They Got Hurt at Work and Then They Got Deported,” which explored how Florida employers and insurance companies were getting out of paying workers compensation benefits by using a state law to ensure injured undocumented workers were arrested or deported. Sarah attended Emerson College for a Bachelor’s Degree in Political Communication, and Columbia University for a fellowship and Master’s degree with the Stabile Center for Investigative Journalism.

About Sarah Betancourt

Sarah Betancourt is a bilingual journalist reporting across New England. Prior to joining Commonwealth, Sarah was a reporter for The Associated Press in Boston, and a correspondent with The Boston Globe and The Guardian. She has written about immigration, social justice, and health policy for outlets like NBC, The Boston Institute for Nonprofit Journalism, and the New York Law Journal. Sarah has reported stories such as a national look at teacher shortages, how databases are used by police departments to procure information on immigrants, and uncovered the spread of an infectious disease in children at a family detention center. She has covered the State House, local and national politics, crime and general assignment.

Sarah received a 2018 Investigative Reporters and Editors Award for her role in the ProPublica/NPR story, “They Got Hurt at Work and Then They Got Deported,” which explored how Florida employers and insurance companies were getting out of paying workers compensation benefits by using a state law to ensure injured undocumented workers were arrested or deported. Sarah attended Emerson College for a Bachelor’s Degree in Political Communication, and Columbia University for a fellowship and Master’s degree with the Stabile Center for Investigative Journalism.

While OCABR may be willing to dole out advice to help businesses report breaches, and help consumers to deal with them, you have to wonder if there are further preventive measures that can be taken. You can have all the regulations in the world, but if they have no teeth, can they really be effective? Could something like yearly third-party reviews of  hospitals’ security systems be worth considering? 

There are no less than five bills pending on Beacon Hill involving data breach notifications, and at least one involving electronic health records. 

Nationwide, health care data breaches hit a record high in April, when providers, health plans and their business associates reported 44 data breaches to the feds, according to Modern Healthcare. In March and April of this year, over 1.5 million people had their data compromised at health care facilities.