Massachusetts General Hospital Suffers Third-Party Data Breach
Approximately 4,300 patients' names, birthdates and Social Security numbers were exposed.
Massachusetts General Hospital (MGH) recently began notifying approximately 4,300 dental patients that their personal information may have been compromised when an unauthorized individual gained access to the systems of third-party software vendor Patterson Dental Supply Inc. (PDSI), Kaspersky reports.
In a statement, MGH said that while the breach was discovered on February 8, 2016, "law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation."
The files stored by PDSI held the Mass General patients' names, birthdates and Social Security numbers, and in some cases, dates and types of dental appointments, dental provider names, and medical record numbers.
"We are committed to the security of all of the sensitive information maintained by our third-party vendors and are taking this matter very seriously," the hospital said in a statement. "To help prevent this type of incident from happening again, PDSI took steps to enhance the security of its systems that maintain dental practice data."
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that the breach is unfortunately indicative of the broader problem of third-party vendors. "The healthcare industry is being aggressively targeted by attackers aiming to access and pilfer valuable patient medical data," he said. "For hospitals and medical organizations, the stakes are high -- in addition to critical patient data that's jeopardized, hospitals and medical organizations also have to be aware of loss of reputation and potential HIPAA/HITECH violations that could also result in costly penalties."
"Like other industries, healthcare organizations struggle to wrap their hands around copious risk associated with their numerous third-party vendors," Fantuzzi added. "But you can’t manage what you can’t see. Without clear visibility into their risk posture, it's nearly impossible to develop an effective plan to identify suspicious activity coming from third parties and apply the appropriate risk controls in order to mitigate the threat."
A recent Soha Systems survey of more than 200 enterprise IT and security C-level executives, directors and managers found that just 2 percent of respondents see third-party access as their top priority in terms of IT initiatives and budget allocation.
Still, 56 percent of respondents have strong concerns about their ability to control or secure their own third-party access, and 75 percent of respondents acknowledge that enabling third-party access requires them to touch numerous network and application hardware and software components.
Forty-eight percent of respondents have seen third-party access grow over the past three years, and 40 percent say they expect growth to continue over the next three years.
"For business reasons, organizations are increasingly providing third parties with access to their IT infrastructure, but IT and security leaders really need to help their business leaders understand the risks of third-party access and take steps to help manage these risks to an unacceptable level," Aberdeen Group vice president and research fellow Derek Brink said in a statement.
A recent eSecurity Planet article listed five best practices for reducing third party security risks.
Photo courtesy of Shutterstock.