Partners HealthCare has notified approximately 2,600 patients whose private information may have been breached when Partners’ computer network was impacted by a malware attack last year.
The Boston-based health system said that suspicious activity was discovered last May by Partners’ monitoring systems. Partners quickly was able to block some of this malware and hired third-party forensic consultants. Based on Partners’ investigation, the malware was not specifically targeted to impact the organization’s information, and Partners confirmed there was no access to its electronic medical record (EMR) system, according to officials.
Based on Partners’ investigation, the malware may have resulted in unauthorized access to certain data resulting from user activity on affected computers from May 8, 2017 to May 17, 2017. As impacted computers were identified, Partners implemented containment measures to mitigate further impact, officials said.
As part of its review, Partners became aware in July of data that appeared to possibly involve personal and health information. “The impacted data was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher,” according to the organization’s statement.
An analysis in December then revealed that the information involved may have included some health information, including first and last name, date(s) of service, and/or certain limited clinical information such as procedure type, diagnosis, and/or medication. For some patients, Social Security Numbers and financial account data may have been involved. Potentially affected patients have been sent personal letters explaining the type of information involved.
At this time, Partners said it is not aware of any misuse of patients’ health or personal information. The health system also said it has taken several measures to prevent similar incidents from happening again, including enhancing its security program, controls and procedures and continuing to actively monitor systems for unusual activity.