Minuteman Senior Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Minuteman Senior Services (MSS), based in Massachusetts, experienced a significant data breach involving an employee’s email account. On November 30, 2022, MSS detected suspicious activity in the account, leading to the discovery that an unauthorized individual had accessed it between November 21 and November 30, 2022. This breach was reported to the U.S. Department of Health and Human Services on January 27, 2023, indicating that at least 500 patients were affected—a figure that represents a threshold for mandatory reporting but does not necessarily reflect the total number of individuals impacted. The exact number of affected patients was still under investigation at the time of reporting.

The compromised email account contained sensitive personal information, including full names, addresses, dates of birth, genders, health insurance details, diagnoses, and service utilization data, although the specific types of compromised information could vary by individual. MSS has been working with an external data review specialist to identify the personal information in the account and the individuals to whom it pertains. As of January 27, MSS had not yet completed this review or begun notifying potentially impacted individuals through written letters.

In response to the breach, MSS secured the impacted email account and stated its commitment to enhancing its existing policies and procedures, as well as implementing additional administrative and technical safeguards to further secure the information in its care. However, this incident was not the first of its kind for MSS; a similar breach involving an employee’s email account occurred in July 2022, affecting 4,000 patients. The repetition of such incidents raises questions about the effectiveness of MSS’s security measures and whether sufficient actions were taken after the first breach to prevent subsequent ones, including the deployment of multi-factor authentication (MFA), staff training on phishing, and password resets.

The July 2022 breach and the November 2022 breach both highlight ongoing challenges in protecting sensitive information within healthcare organizations and underscore the importance of robust cybersecurity measures to prevent unauthorized access to personal data[1].

Citations:

  1. https://www.databreaches.net/second-verse-same-as-the-first-minuteman-senior-services-reports-another-breach-of-an-employee-email-account/
  2. https://www.mass.gov/lists/data-breach-notification-letters-june-2022
  3. https://www.minutemansenior.org/assets/media/documents/HIPAA2014.pdf
  4. https://apps.web.maine.gov/online/aeviewer/ME/40/8d727793-933d-401c-b060-25300545b12e.shtml
  5. https://www.minutemansenior.org/about-us/notice-of-data-event
  6. https://www.mass.gov/doc/assigned-data-breach-number-26774-minuteman-senior-services/download
  7. https://www.hipaajournal.com/healthback-holdings-email-security-breach-affects-21000-individuals/
  8. https://www.doj.nh.gov/consumer/security-breaches/documents/minuteman-senior-services-20220623.pdf
  9. https://www.wwlp.com/news/crime/the-biggest-health-care-data-breaches-you-should-know-about-in-massachusetts/
  10. https://www.csidb.net/csidb/incidents/ce5676fe-2160-4ea8-9af7-f7b25c41558b/
Breach Submission Date Jan 27, 2023
Converted Entity Name Minuteman Senior Services
Converted Entity Type Healthcare Provider
State MA
Individuals Affected 500
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes