1 min read

Mass General Brigham terminates employees over privacy breach

Caitlin Anthoney July 11, 2024

Healthcare cybersecurity news
Mass General Brigham exterior

Boston-based Mass General Brigham (MGB) terminated two employees after discovering a privacy breach on April 4, 2024.

 

What happened

An investigation revealed that two MGB employees allowed an unauthorized individual to perform their duties between February 26 and April 4, 2024, potentially exposing patients’ personal information. 

The investigation concluded on May 28, 2024, confirming that the unauthorized access involved names, addresses, medical record numbers, dates of birth, email addresses, phone numbers, and health insurance policy numbers. Additionally, clinical information and Social Security numbers were potentially compromised.

According to the HHS Office for Civil Rights (OCR), MGB reported two data breaches on June 28, 2024. Specifically, the Mass General Brigham Health Plan breach affected 3,659 individuals and the Mass General Brigham Incorporated affected 655 individuals.

Since then, MGB has strengthened its safeguards for protecting patients' information, enhanced employee training, and refined its security alert system processes. 

 

What was said

According to MGB’s notification letter, "This violated MGB’s employment and privacy policies and was done without the knowledge or consent of MGB."

Whilethe incident did not involve [patients’] bank information or credit card number [it] may have included information about prior authorizations, claims and diagnosis.”

Additionally, MGB offers affected individuals 24 months of complimentary credit monitoring and other services through IDX.

 

In the know

Provider organizations must implement role-based access controls so that only authorized personnel can access protected health information (PHI). These access controls restrict PHI access based on an employee's responsibilities, minimizing the risk of unauthorized exposure and data breaches. Providers should also regularly monitor access controls, ensuring they adapt to employees’ changing roles.

Furthermore, organizations must have termination procedures for employees who violate privacy policies. When an employee breaches these policies, provider organizations must conduct a thorough investigation, document the violation, and immediately revoke the employee’s access privileges. 

 

The bottom line

Healthcare organizations must uphold privacy policies, enhance employee training on PHI security, and implement access controls, safeguarding patients’ PHI from potential data breaches.

Go deeper: How to train healthcare staff on HIPAA compliance
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
the pentagon in washington dc

Pentagon notifying individuals impacted by data breach

Picture of Abby Grifno Abby Grifno : February 19, 2024

The Pentagon is sending out breach notification letters to individuals who may have been impacted by a 2023 email breach.

Healthcare cybersecurity news
Read More
Empty blue container or tray

104,234 affected by data breach at The New Jewish Home

Caitlin Anthoney : August 21, 2024

New York-based non-profit Jewish Home Lifecare, Inc., operating as ‘The New Jewish Home’ experienced a data breach that exposed the sensitive...

Healthcare cybersecurity news
Read More
digital red hexagons

Numotion data breach affected over 600,000 patients

Caitlin Anthoney : June 12, 2024

Numotion, a leading medical equipment provider, experienced a cybersecurity breach in early March 2024, compromising the protected health information...

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.