The Boston Globe is reporting today that a major Boston hospital, Beth Israel, has suffered a data breach. This one appears to be "real" in the sense that no records were mistakenly left on a train, the information was purposely stolen via malware.

Hiawatha Bray, a technology writer at the Boston Globe, reports the hospital saying that "an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it." Apparently that machine was later found to be infected with a virus which transmitted data files, in encrypted format, to an unknown location. Ask me, it's a trojan, placed via a phishing e-mail... but that's just a guess.

The information taken appears to be medical record numbers, names, genders, birthdates and procedure details. The hospital says that no social security numbers were taken.

I would suggest that based on the information stolen, and the hospital's status as a "covered entity" under HIPAA, formal notification is required. Health and Human Services lists all reported data breaches here. I looked, but could not find this one... Maybe they haven't told them yet.

Interesting how the media finds out fairly early on in these situations, maybe even before the authorities.

Under Massachusetts Law, notification may also be required... I say "may" because according to the Globe's report, "medical record number" and "names" were stolen. On the MA Office of Consumer Affairs website, under the "Frequently Asked Questions" section, the question is asked whether an "insurance policy number" qualifies as a "financial account number" requiring notification. The answer:

An insurance policy number qualifies as a financial account number if it grants access to a person's finances, or results in an increase of financial burden, or a misappropriations of monies, credit or other asset.

I am comparing the "medical record number" with the "insurance policy number" for two reasons: one, it's likely that in the hospital's database the medical record number is associated with an insurance policy number (mine is). And two, it's certainly a way to get services under someone else's name.

If I had someone's name and their medical record number, could I show up at a hospital and obtain services via the emergency room? Of course, the bill would go to the victim, right? Why might someone do this you ask? Prescription drug access is one possibility. The FTC has a page dedicated to "Medical Identity Theft" and describes what it means.

The major problem with using the medical record number is that the bad guys would have to know some details about the victim's past before using the number. You can't walk in as a twenty-something female using the medical record number of a fifty-something female... ah, but they took the birth dates as well.

I think it's an open question as to whether notification would be required under Massachusetts law.

Do you know what's also an open question: Why doesn't the Massachusetts Attorney General post the reported data breaches? The Federal Government does, the Attorney General in New Hampshire does... New Hampshire posts the actual letters sent to them reporting the breach.

Did you know that I requested all filed notification letters under a Freedom of Information type request... Four months after my initial request I was told that I could have all 2,400 of them, for $2,907.00.