More than 200,000 patients of UMass Memorial Health may have had their personal information compromised in an email hack. The Worcester hospital says a hacker accessed email accounts for seven months, beginning in June of 2020.
A message to patients says the hack may have revealed names, social security numbers, and medical information.
According to the notice, the hospital first discovered this January that some UMass Memorial employees' email accounts had been accessed by an "unauthorized person."
"At that time, it was not known specifically what information may have been contained in the accounts," the statement reads. "After first identifying suspicious activity within the employees’ email accounts, we immediately took steps to secure the accounts and a computer forensic firm was engaged to assist with our investigation. The investigation determined that an unauthorized person accessed the accounts between June 24, 2020 and January 7, 2021."
UMass Memorial says it then spent more than seven months determining which individuals had information in those email accounts that could be compromised. The statement doesn't list a number of people who had information in those emails, but the U.S. Department of Health and Human Services says 209,048 individuals were affected.
"For patients, the information involved included names, dates of birth, medical record numbers, health insurance information, and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information, and/or prescription information," the statement says. "For health plan participants, the information involved included names, subscriber ID numbers, and benefits election information. For some individuals, a Social Security number and/or driver’s license number was also involved."
UMass Memorial says it has no indication that individuals' information was actually viewed by the hacker.
Felicia O'Brien of Worcester says she got a letter from UMass Memorial, addressed to her two-year-old daughter, saying the child's medical information was in some of the hacked emails.
"I guess anyone can hack into anything, but hospitals are supposed to really be locked down with stuff like that," she said.
O'Brien said, when she posted about it on Facebook, comments poured in from people who had received similar notices.
"I had at least 50 different comments of people saying that there's also were [hacked] into," she said. "And UMass basically said 'well, there's nothing we can do. We're just telling you, and that's that.' Which, everyone else is just as mad as I am, because it's not supposed to happen."
UMass Medical says it's offering free credit monitoring just to patients whose social security number or drivers' license number were accessed. It declined to comment beyond forwarding the message sent to patients.
The news comes as Governor Charlie Baker addressed a state conference on cybersecurity Thursday. Baker said the pandemic has made the state more vulnerable to cyber attacks.
“Security issues have become paramount as we've worked, gone to school and carried out other essential business over the past 18 months," Baker said. "And unfortunately our increased reliance on technology has led to a rise in cyber threats — a persistent threat against our communities, where hackers target municipalities, healthcare organizations, and much, much more."
Baker called on organizations and local governments across the state to take steps to protect sensitive information.
"We must have a sense of urgency to mitigate these attacks and defend our systems from these criminals," he said.