The CHA Everett Care Center at 391 Broadway in Everett – the city where “an unauthorized third party” was found with Cambridge Health Alliance patient data from 2013. (Photo: Google)

A Cambridge Health Alliance investigation of the data breach that leaked personal information on 2,500 patients hasn’t answered an obvious question: How did it happen? “We do not know definitively how the files left the organization,” spokesman David Cecere said Thursday.

The internal investigation, which is complete, did show there was “no identifiable error in our systems which would have allowed that information to leave CHA,” Cecere said. The Alliance hired a “forensic firm” to do the investigation.

The Alliance disclosed March 29 that Everett police had notified the health care system two months earlier that records had been found in the possession of “an unauthorized third party.” The data was in electronic files of billing records from 2013 and could have included information such as patients’ names, addresses, birthdates and Social Security numbers; it might have included “limited clinical information” but not medical records, Cecere said previously.

The incident remains under investigation by the U.S. Department of Health and Human Services’ Office of Civil Rights, the agency that oversees compliance with health care privacy rules. 

State Attorney General Maura Healey’s office has an “open investigation” of the breach as well, according to a May 25 letter from Assistant Attorney General Lorraine A.G. Tarrow. She wrote to deny a public records request for a copy of the breach report filed with Healey’s office and subsequent correspondence.

Also, “local law enforcement is moving forward with its investigation on this matter,” Cecere said. Everett police have said a police detective was assigned to the case, but refused to give details. When asked for documents under the public records law, police said no documents existed.

The billing information that was involved was for certain patients who received services in 2013, the Alliance said. It was not clear when the breach occurred; it could have been as long ago as 2013.

The Alliance offered affected patients a year of credit monitoring, although hospital officials said at the time that police had indicated that identity theft was unlikely.

Asked whether the Alliance had changed security or procedures as a result of the breach, Cecere said it continues “to reinforce staff training and best practices related to cybersecurity.”