35 businesses and healthcare providers in Massachusetts have been involved in health data security breaches that have affected nearly 185,000 individuals since 2010, according to data maintainedby the U.S. Department of Health and Human Services' Office for Civil Rights.
More than 14,000 individuals were affected by a data breach at UMass Memorial Medical Center in 2014. Due to an ongoing investigation, UMass had to wait until this past January to announce the breach.
According to a statement released by UMass Memorial, “On April 9, 2014, we learned that information related to some of our patients may have been accessed inappropriately and potentially for fraudulent purposes. We immediately began an investigation and reported the incident to law enforcement….On January 28, 2015, we were given permission by law enforcement to notify and we are notifying potentially affected patients as quickly as possible.”
UMass found that an employee “may have accessed billing records outside of normal job duties from January 7, 2014 to May 7, 2014.” That employee is no longer employed with UMass Memorial.
The information accessed by the former employee may have included patients’ names, addresses, dates of birth, medical record numbers, and Social Security numbers. The information also may have included credit or debit card numbers used for payments to UMMMG, phone number(s), email addresses and guarantors’ names,
Spectrum Health Systems, which has multiple offices in Worcester and in Central Massachusetts, was victim to nearly 15,000 health data breaches from a desktop computer reported in 2011.
Other local businesses that were victims of data breaches in the past five years include Iron Mountain, Inc.(which has offices in Worcester, Northborough and Boston), and Adult & Pediatric Dermatology, PC (which has an office in Marlborough).
On February 27, Pro Publica in conjunction with NPR wrote about the lack of fines levied against the companies involved in breaches, in a piece entitled, "Fines Remain Rare Even As Health Breaches Multiply."
"Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people," wrote ProPublica's Charles Ornstein.
"In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended," wrote Ornstein. "Yet, over that time span, the Office for Civil Rights has fined health care organizations just 22 times."