Hack of Medical Imaging Provider Affects Data of 2 MillionShields Health Care Group Says PHI Was Stolen in March Incident
A hacking incident involving data theft from a prominent provider of medical imaging services in Massachusetts has affected 2 million individuals, making it the largest health data breach reported to federal regulators so far this year.
Quincy, Massachusetts-based Shields Health Care Group - which touts itself as the "official" provider of MRIs and related medical imaging services to several professional sports teams, including the New England Patriots, Boston Celtics and the Boston Bruins - reported the hacking incident involving a network server to the U.S. Department of Health and Human Services on May 27.
The incident, which Shields reported to HHS' Office for Civil Rights as a business associate, affected the protected health information of 2 million individuals who are patients of at least 56 Shields clients, ranging from area hospitals to various regional Shields-operated facilities located throughout the state.
Shields provides management and imaging services on behalf of those healthcare facilities, the company explains in a data security incident notice posted on its website.
"Imaging is a heavily used diagnostic tool, so the large number of affected facilities and patients is not a surprise," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
Shields in its notice says that on March 28, it was alerted to suspicious activity on its network. "Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event," the company says.
Shields' investigation into the incident determined that an "unknown actor" had gained access to Shields' systems for two weeks, from March 7 to March 21, acquiring "certain data," the notice says.
"Although Shields had identified and investigated a security alert on or around March 18, data theft was not confirmed at that time," the notice says.
The type of information potentially compromised includes patient full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.
Shields says its review of the affected data is ongoing. So far, the company has no evidence to indicate that any information affected in the incident was used to commit identity theft or fraud, the notice says.
Shields says that upon discovery of the incident, it took steps to secure its systems, including rebuilding certain systems. "Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security," the company says.
In addition to reporting the breach to federal and state regulators, Shields says it notified federal law enforcement authorities about the incident.
Shields did not immediately respond to Information Security Media Group's request for additional details pertaining to the breach.
As of Tuesday, the Shields incident was the largest of the 265 incidents posted in 2022 to the HHS OCR HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
The second-largest breach posted to the HHS OCR website so far in 2022 is the hacking incident reported on Jan. 2 by Fort Lauderdale, Florida-based Broward Health as affecting 1.3 million individuals.
The Florida public hospital system says the incident detected in October 2021 involved data exfiltration affecting the personal information of patients and employees.
In its notification statement, Broward Health says an "intruder" gained entry to its network "through the office of a third-party medical provider permitted to access the system to provide healthcare services."
Cybercriminals will always go for the biggest targets, says Susan Lucci, senior privacy and security consultant at consultancy tw-Security. "The more data they can exfiltrate, the more they profit. When a covered entity serves as a business associate to hospitals, it is important for the hospitals to be certain that the data is protected by taking additional steps beyond the business associate agreement," she says.
Hospital privacy and security officers often ask for validation of certain security rule compliance evidence before they will negotiate contracts, she says. "However, some are still not doing that. Compliance with the security rule doesn’t mean a data breach cannot happen, but it may make it more difficult for the hackers to get into the network," she says.