DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Beth Israel reports potential data breach (update2)

Posted on July 18, 2011 by Dissent

Hiawatha Bray reports:

Beth Israel Deaconess Medical Center is notifying more than 2,000 of its patients that some of their personal information may have been stolen from a hospital computer.

The hospital said today that an unnamed computer service vendor had failed to restore proper security settings on the computer after performing maintenance on it. The machine was later found to be infected with a computer virus, which transmitted data files to an unknown location.

The computer contained medical record numbers, names, genders, and birth dates of 2,021 patients, as well as the names and dates of radiology procedures they’d undergone. But the computer didn’t contain the patients’ financial data or their Social Security numbers, which can be used to steal identities and defraud banks.

“We are grateful no Social Security numbers or financial information were released, and apologize for the inconvenience and deeply regret any concern this situation may cause,” said John Halamka, the hospital’s chief information officer.

Halamka said the virus transmitted information in an encrypted form, so the hospital does not know exactly what might have leaked, but wanted to inform patients anyway. “We just wanted to be ultra-careful,” he said.

The hospital will provide affected patients with one year of free identity protection service. For more information, patients can contact the hospital at 877-615-3765.

Source: Boston Globe.

Okay, this strikes me as a pretty rare occurrence. Having data exfiltrated by a virus is not rare, but in encrypted form? Maybe security professionals have encountered this before, but this is the first report of this kind that I can recall.

Update:  BIDMC’s statement on the breach:

Beth Israel Deaconess Medical Center (BIDMC) is in the process of notifying patients of a potential breach of protected health information as a result of the failure of a vendor to restore security controls following routine maintenance.

The computer, which was located in a locked room, stored BIDMC medical record numbers, gender, date of birth and the date and name of radiology procedures for 2,021 patients. No Social Security numbers or financial data was stored on the computer.

The computer was found to be transmitting data to an unknown location, the result of being infected by a computer virus following a routine maintenance visit.

“BIDMC takes this incident and the protection of protected health and personal information extremely seriously,” said John Halamka, MD, BIDMC’s Chief Information Officer. “We are grateful no Social Security numbers or financial information was released and apologize for the inconvenience and deeply regret any concern this situation may cause.”

“We continually test and modify systems, while aggressively enhancing practices to secure sensitive information.  In this case, BIDMC shut down the computer immediately upon learning that it was infected with a computer virus.  The computer was cleaned and all software re-installed to ensure the virus was no longer present.  Updated security controls were also installed and activated to prevent viruses from being installed.  BIDMC has also worked closely with its vendor representative to ensure that an incident such as this does not re-occur.”

Affected patients have been given access to state and federal resources, a toll-free telephone number, 877-615-3765 and one year of identity protection services, at no charge to them.

Beth Israel Deaconess Medical Center is a patient care, teaching and research affiliate of Harvard Medical School, and currently ranks third in National Institutes of Health funding among independent hospitals nationwide. BIDMC is clinically affiliated with the Joslin Diabetes Center and is a research partner of Dana-Farber/Harvard Cancer Center. BIDMC is the official hospital of the Boston Red Sox. For more information, visit www.bidmc.org.

The release inadvertently omitted that patient names were also on the computer but a hospital spokesperson confirmed that point today for me.

Update 2:  In response to my inquiry about the exfiltrated data being encrypted,  John Halamka, the hospital’s Chief Information Officer,  explained:

The virus encrypted it, not us. The reason we are reporting it is that we are not sure that a breach occurred, but because a virus sent some data from the radiology device to some location, we wanted to be very conservative and report a possible breach.

Okay, that helps explain things. And yes, I would treat this as if a breach had occurred. I think the hospital definitely did the right thing here.

Category: Health Data

Post navigation

← JLAudio responds to hack; notifies consumers to change their passwords
Ru: Megafon screws up and users’ SMS messages get indexed by a search engine →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.