Federal agency investigates breach of data affecting Health Alliance patients in 2013
Federal officials are investigating the data breach announced by Cambridge Health Alliance on March 30 that involved access by an “unauthorized third party” to the personal information of an estimated 2,500 patients treated in 2013.
The Office of Civil Rights in the Department of Health and Human Services, which oversees patient privacy protections, put the Alliance’s incident on its list of breaches under investigation. The online list is widely known as the OCR Wall of Shame.
The federal agency has the power to fine organizations that violate the Health Information Portability and Accountability Act.
The Alliance disclosed that Everett police notified the health care system Jan. 31 that patient data had gotten into the possession of a third party, who was not identified. The patient information was in electronic files of billing records and could have included patients’ names, addresses, phone numbers, Social Security numbers, dates of birth and dates of discharge, spokesman David Cecere said.
The Alliance notified affected patients by letter March 28 and offered a year of free credit monitoring.
Two months after the breach was discovered, it remains a mystery in many respects. The Alliance reported to the federal Office of Civil Rights that the incident was a “hacking/IT incident” and it told the state Office of Consumer Affairs and Business Regulation that it was the result of a “malicious/criminal act.”
Cecere has maintained that the Alliance doesn’t know whether the information was hacked or exposed accidentally, though. He said the Alliance categorized the breach as criminal because Everett police notified the organization about it.
Everett police have disclosed little more than that they are doing an unspecified investigation. The public information officer for the department said Wednesday that the detective in charge of the case is in New York, and his files were not available. He didn’t reply when asked when the detective is expected back.
At this point the Alliance doesn’t know when the patient data “was released,” Cecere said when asked whether the breach could have occurred as long ago as 2013.
Neither the Alliance nor Everett police have disclosed how the breach was discovered. Cecere also would not say which of the health care system’s departments or contractors have access to the type of billing information that was exposed. “We are unable to comment further because our investigation continues and is part of an outstanding criminal matter,” he said.
Several other Massachusetts health care entities have reported data breaches this year that are under investigation by OCR. They include four home care and subacute care companies that apparently used the same third-party software provider and reported that the software company had discovered that a disk with patient information was lost in the mail; Partners Healthcare, the state’s largest health care network, which said in February that malware breached its computer system in May; and Charles River Medical Associates, a Partners Healthcare practice, which reported in January that a computer hard drive was missing.