Boston-based Mass General Brigham (MGB) terminated two employees after discovering a privacy breach on April 4, 2024.
An investigation revealed that two MGB employees allowed an unauthorized individual to perform their duties between February 26 and April 4, 2024, potentially exposing patients’ personal information.
The investigation concluded on May 28, 2024, confirming that the unauthorized access involved names, addresses, medical record numbers, dates of birth, email addresses, phone numbers, and health insurance policy numbers. Additionally, clinical information and Social Security numbers were potentially compromised.
According to the HHS Office for Civil Rights (OCR), MGB reported two data breaches on June 28, 2024. Specifically, the Mass General Brigham Health Plan breach affected 3,659 individuals and the Mass General Brigham Incorporated affected 655 individuals.
Since then, MGB has strengthened its safeguards for protecting patients' information, enhanced employee training, and refined its security alert system processes.
According to MGB’s notification letter, "This violated MGB’s employment and privacy policies and was done without the knowledge or consent of MGB."
While “the incident did not involve [patients’] bank information or credit card number [it] may have included information about prior authorizations, claims and diagnosis.”
Additionally, MGB offers affected individuals 24 months of complimentary credit monitoring and other services through IDX.
Provider organizations must implement role-based access controls so that only authorized personnel can access protected health information (PHI). These access controls restrict PHI access based on an employee's responsibilities, minimizing the risk of unauthorized exposure and data breaches. Providers should also regularly monitor access controls, ensuring they adapt to employees’ changing roles.
Furthermore, organizations must have termination procedures for employees who violate privacy policies. When an employee breaches these policies, provider organizations must conduct a thorough investigation, document the violation, and immediately revoke the employee’s access privileges.
Healthcare organizations must uphold privacy policies, enhance employee training on PHI security, and implement access controls, safeguarding patients’ PHI from potential data breaches.
Go deeper: How to train healthcare staff on HIPAA compliance