Cyber Incident Victim: Mass General Brigham
Date:
Nov 2014
Location:
United States of America
Summary
A healthcare organization experienced a data breach when employees fell victim to a phishing attack, compromising email accounts containing protected health information of approximately 3,300 individuals. Exposed data included patient names, addresses, dates of birth, phone numbers, Social Security numbers, medical record numbers, diagnoses, treatment details, insurance information, and diagnosis codes. The attack did not impact the organization's electronic health records system. Upon discovery, the entity secured affected accounts, initiated an investigation with law enforcement and forensic experts, and notified potentially impacted patients. No evidence of data misuse was identified, though individuals were advised to monitor insurance statements for discrepancies. This incident reflects broader sector trends of increasing phishing and malware threats targeting healthcare entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Partners HealthCare System, an integrated health delivery network operating Massachusetts General Hospital and other facilities, experienced a data breach stemming from a phishing attack discovered on November 25, 2014. Workforce members received fraudulent emails appearing legitimate, leading them to disclose credentials that compromised several email accounts. The organization initiated a comprehensive review of affected accounts, determining that approximately 3,300 individuals had protected health information exposed. Compromised data included patient demographic details such as names, addresses, dates of birth, telephone numbers, and Social Security numbers, alongside clinical information like diagnoses, treatments received, medical record numbers, diagnosis codes, and health insurance details. The attack did not penetrate Partners' electronic health records system. Immediate containment measures involved securing the breached email accounts and notifying law enforcement authorities. Partners engaged a computer forensic firm to investigate the incident's scope and origin, maintaining continuous monitoring for evidence of data misuse.
The forensic investigation revealed that attackers accessed emails containing sensitive patient information between the phishing incident's occurrence and its late November discovery. Partners issued breach notifications to affected individuals, advising them to review health insurance statements for unauthorized services. No evidence emerged suggesting actual misuse of the compromised data. This incident coincided with a documented surge in healthcare sector phishing attacks, as reflected by federal breach reports. Within months of the Partners breach, St. Agnes Health Care reported a similar phishing incident impacting 25,000 individuals, while Seton Family of Hospitals disclosed a December 2014 phishing attack affecting 39,000 patients discovered in February 2015. The Department of Health and Human Services' breach portal recorded over 1,200 major healthcare incidents impacting 133 million individuals between September 2009 and April 2015, with phishing representing a growing attack vector alongside high-profile network intrusions like the Anthem breach affecting 78.8 million. Partners maintained that their electronic medical records infrastructure remained uncompromised throughout the incident, with unauthorized access confined to individual email accounts through credential theft.