Boston-based Partners HealthCare said in a Feb. 5 statement roughly 2,600 patients' private inforamtion may have been affected after the system's computer network was compromised by an unauthorized third-party "malicious computer program" last May.
Partners said its monitoring system identified suspicious activity May 8, 2017, and immediately blocked some of the malware. The organization proceeded to work with third-party forensic consultants to identify the issue and mitigate its impact. Officials determined the malware was not specifically intended to target Partners' computer network and that the attack did not compromise its systemwide EMR. However, officials discovered the malware may have gained unauthorized access to certain data on affected computers between May 8, 2017, and May 17, 2017.
During an ongoing review of the incident, Partners officials became aware July 11, 2017, certain data that appeared to involve patients' personal and health information was affected during the incident.The affected data "was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher," according to the statement.
Officials completed a manual data analysis in December 2017 and are in the process of contacting affected individuals. Partners said based on the review, the information "may have included certain types of protected health information for patients, including first and last name, date(s) of service, and/or certain limited amounts of clinical information such as procedure type, diagnosis, and/or medication." Some patients' Social Security numbers and financial account data may have also been affected.
Partners said they are currently unaware of any misuse of patients' health information.
The health system is working to inform the roughly 2,600 individuals whose personal and health information may have been involved through postal mail and notices on its website as permitted by HIPAA. Partners has also enhanced its security protocols and procedures as a result of the incident.
To access Partners' statement on the privacy incident, click here.
Editor's note: Becker's Hospital Review reached out to Partners HealthCare for comment and will update the article as more information becomes available.