Massachusetts General Hospital Confirms Third-Party Breach

A breach at Massachusetts General Hospital has potentially compromised the information of roughly 4,300 dental patients, the hospital warned Wednesday.

A breach at Massachusetts General Hospital has potentially compromised the information of roughly 4,300 dental patients, the hospital warned Wednesday.

MGH was quick to point out that the data leaked wasn’t stored or maintained on its systems but those of a third-party vendor that assists the hospital in managing dental patients at several practices, including the hospital.

The compromised database belongs to Patterson Dental Supply Inc., a medical supplies company headquartered in St. Paul, Minn. An unauthorized individual accessed electronic files, some which included data on MGH dental patients, on PDSI’s systems back in February, the statement reads.

It wasn’t until May 26 however – nearly three months after the breach – that law enforcement allowed the hospital to notify the public.

According to the statement “law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation.”

It took another month after the hospital got the green light to actually disclose the breach to victims. Following its own investigation the hospital claims it began mailing letters to notify those affected by the breach on Wednesday, June 26.

Patients who receive the letter will learn that sensitive information like their name, date of birth, and Social Security number may have been accessed. On top of that, “in some instances” the data may have included the date and type of their dental appointment, their dental provider name, and medical record number.

The fact that medical records are often so flush with information has made them a juicy target for attackers, especially as of late.

A report from this week detailed how some attackers are leveraging old worms like Conficker to target medical devices running on equally old platforms like Windows XP in order to extract medical records.

“These old worms such as Conficker are being used in tandem with much more sophisticated payloads that are able to go deeper into a hospital network and target specific devices that can gain criminals easier access to patient records,” Moshe Ben-Simon, co-founder of TrapX Labs, told Threatpost Thursday.

Another report from over the weekend claimed a hacker was selling upwards to 655,000 healthcare records on the dark web. That figure ballooned just a few days later, with some reports on Tuesday claiming that an even larger database, one that includes 9.3 million patient records from a health insurance provider, was making the rounds online.

Both headlines come in the wake of a report published last week that slammed hospital security. The report, “Workarounds to Computer Access in Healthcare Organizations,” commissioned by the University of Pennsylvania, Dartmouth College and the University of Southern California, found that workers at many facilities took shortcuts when it came to security and even worse, the infrastructure at many hospitals were fraught with vulnerabilities

 

 

Suggested articles

DEF CON 2018: Hacking Medical Protocols to Change Vital Signs

LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ […]

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.