UMass Memorial Health in Worcester has notified patients of a privacy incident last year potentially compromising personal data, in a notice distributed to those impacted by the data breach.
According to the U.S. Department of Health and Human Services Office for Civil Rights, which is tracking the incident, 209,048 people were impacted by the hack of employee emails.
After an investigation, it was determined that the unauthorized person accessed UMass Health’s email accounts between June 24, 2020 and Jan. 7, 2021, per the notice.
The breach was filed with the U.S. Department of Health and Human Services Office for Civil Rights on Oct. 15.
“The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. Out of an abundance of caution, we reviewed all of the emails and attachments contained in the email accounts to determine if they contained any patient or health plan participant information,” according to the notice.
The information included on the breached accounts included patient information such as names, dates of birth, medical record numbers, health insurance information, and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information, and/or prescription information. For health plan participants, the information involved included names, subscriber ID numbers, and benefits election information.
Social Security numbers and/or driver’s licenses may have also been involved for several individuals, according to the notice.
This incident did not affect all UMass Memorial patients or health plan participants; but only those whose information was contained in email accounts which had been accessed without authorization, per UMass Health.
