Dive Brief:
- Partners HealthCare is notifying 2,600 patients that their personal information may have been compromised when an unauthorized third party introduced malware into its computer system.
- The breach was discovered in May, and Partners moved quickly to block some of the malware. Third-party forensic consultants were hired to identify and contain the impact, according to a February statement.
- Meanwhile, a new Rave Mobile Safety survey found many workplaces aren't fully prepared for cyberattacks and other emergencies. While both on-site and remote employees said they prefer to be notified by test message, only 37% said their workplace has a mass text message notification system in place. Over half of organizations (57%) had emergency preparedness drills.
Dive Insight:
An investigation into the Partners breach determined the malware was not specifically targeting Partners’ network and that no EHRs were accessed. However, some impacted data may have included personal and health information. The data “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher,” Partners said.
Potentially compromised information included names, dates of service, diagnoses, medications and, for some patients, social security numbers and financial account data. Partners has sent personal letters to patients explaining the type of information involved.
The health system said it is unaware of any misuse of patient information. It added it has strengthened its security controls and procedures and is continuing to monitor for suspicious activity.
Recent years have seen an uptick in cyberattacks on healthcare organizations. Last year, the global WannaCry virus forced hospitals in the U.K. to temporarily shut down, while a ransomware strain of Petya targeted networks in Europe and the U.S. Among its victims were Nuance, Merck and Heritage Valley Health System. Another virus, dubbed Defray, specifically targeted healthcare organizations — spreading via a Microsoft Word attachment in emails that appeared to come from a trusted source.
Hospitals and health systems have been ratcheting up their cybersecurity efforts in response. In a 2017 HIMSS survey of IT leaders, 71% said their organization budgets for cybersecurity, and nearly two-thirds of those said the allotment is 3% or more of the overall budget.