Law enforcement discovered that the protected health information (PHI) of some Cambridge Health Alliance (CHA) patients fell into the hands of an unauthorized person. Everett Massachusetts Police Department notified CHA on January 31, 2018 about the discovery of the unauthorized person possessing the files with PHI of CHA’s patients. The hospital conducted an internal investigation immediately after receiving the breach notification.
One of the files was found to contain PHI associated with billing from 2013. The information included patients’ names, dates of birth, addresses, Social Security numbers, discharge dates, charges for healthcare services and employer information. The law firm, BakerHostetler, sent breach notifications to four affected individuals on behalf of CHA. The four who were residents of New Hampshire were offered free credit monitoring and identity theft protections services via Experian.
Although it seems that only four individuals were impacted by the breach, there’s a report by Boston Globe that notification letters were sent to about 2,500 patients. The reported breached details of the 2,500 patients were the same as the four’s. Boston Globe also reported what CHA spokesman David Cecere said that the incident is still under investigation. There’s still no clear information as to how the patient files were stolen. It could be because of hacking or misconfiguration that made the information public. A computer forensics firm is also helping in the investigation. Hopefully, the firm can help find out how the data was actually stolen.