2 Million-record Data Breach Reported by Massachusetts Medical Imaging Services Provider

A data breach affecting 2 million individuals has been reported to the Department of Health and Human Services’ Office for Civil Rights – The largest breach to be reported by a single HIPAA-regulated entity so far in 2022.

Shields Health Care Group is a Quincy, Massachusetts-based provider of MRI, PET/CT, ASC, radiation oncology, and ambulatory surgical services, which are provided at hospitals and more than 40 Shields-operated facilities throughout New England. Shields Health Care Group, acting as a business associate, said it was alerted to suspicious activity within its network on March 28, 2022, that may have involved data compromise. A security incident had been detected and investigated on or around March 18, 2022, but at that time it did not appear that there had been any unauthorized data access.

The forensic investigation revealed an unauthorized actor had gained access to certain Shield systems from March 7, 2022, to March 21, 2022, and during that time frame, certain files containing patients’ protected health information had been exfiltrated from its systems. While the removal of files from its network was confirmed, Shields said it is unaware of any actual or attempted misuse of patient data.

The review of the impacted files revealed they contained information such as full names, dates of birth, home addresses, Social Security numbers provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information. Shields said the 2 million affected patients had received medical imaging services at any of 56 healthcare facilities, including hospitals and Shields-run facilities.

Shields said notification letters will be mailed to affected individuals when the data review has been completed. It is unclear at this stage whether credit monitoring and identity theft protection services will be offered to affected individuals. Shields said immediate action was taken to contain the incident, certain systems have been rebuilt, and additional safeguards will be implemented to better protect patient data.

The breach is larger than the previous 2022 record holder – Florida-based Broward Health – which reported a breach of the protected health information of 1.3 million individuals in January.