Nantucket Cottage Hospital (NCH), a member of Mass General Brigham, recently notified individuals about a security incident involving their protected health information. The breach occurred between May 21, 2024, and August 10, 2024, when a workforce member accessed electronic health records without an authorized business purpose. Personal details, including names, dates of birth, Social Security numbers, health insurance numbers, and contact information, were among the exposed data. Clinical information such as diagnoses, lab results, medications, and treatment details were also potentially affected, although financial details such as credit card numbers were not involved.
The hospital’s internal investigation confirmed the unauthorized access, which was promptly addressed by NCH. By August 29, 2024, the investigation was completed, and appropriate corrective measures were implemented. The individual responsible for the breach is no longer employed by NCH and has been denied access to hospital systems. NCH has since taken steps to strengthen safeguards to prevent future incidents, including enhancing workforce training and ensuring better data protection protocols are in place.
As a precautionary measure, NCH has reached out to those impacted and provided guidance on steps they can take to protect themselves from the potential misuse of their personal information. A list of recommended actions, such as monitoring personal health records and other protective measures, was included in the notification. The hospital has expressed regret for any concerns caused by the breach and reassured individuals that their data privacy remains a top priority.
Individuals with questions about the incident are encouraged to contact the Mass General Brigham Privacy Office for further assistance. The hospital continues to work on improving its internal controls and has committed to ongoing education for its workforce to reduce the risk of future breaches. While no financial data was compromised, NCH is dedicated to restoring trust and ensuring the security of sensitive patient information moving forward.
Reference:
