UMass Memorial Health, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

UMass Memorial Health Data Breach Overview

UMass Memorial Health, a healthcare network based in Worcester, Massachusetts, experienced a significant data breach that affected the personal information of thousands of individuals. The breach occurred over a period from June 24, 2020, to January 7, 2021, and involved unauthorized access to the network, potentially exposing sensitive data.

Breach Details

The breach exposed various types of personal information, including:

  • Medical record numbers

  • Dates of service

  • Provider names
  • Diagnoses
  • Procedure information
  • Driver’s license numbers
  • Financial account information
  • Social Security numbers[1][2][4][9][14][15][19][20].

For some patients, only medical information was involved, such as health insurance information and clinical or treatment information[1].

Notification and Response

UMass Memorial Health notified affected patients and offered free credit monitoring and data protection services to those whose Social Security numbers or driver’s license numbers were involved[1][4][14][18][19]. They also advised patients to review statements from health insurers or healthcare providers for any services not received[1].

Legal Actions and Settlement

A class action lawsuit was filed against UMass Memorial Health, alleging negligence in the breach. UMass Memorial Health agreed to a $1.2 million settlement without admitting wrongdoing. The settlement provides payments to individuals who submit valid claims for expenses and lost time relating to the data incident, and for credit monitoring and identity protection services. Impacted individuals may claim up to $150 for ordinary expenses and up to $5,000 for extraordinary reimbursements[2][3][5][9].

Additional Incidents

UMass Memorial Health also faced a separate incident involving a payroll data breach in December 2021, which led to a settlement of $1.2 million for affected workers[4][17]. Furthermore, in a separate incident, UMass Memorial was affected by a breach at Blackbaud, a vendor providing data services, which may have involved backup copies of databases containing donor information[18].

Preventive Measures

Following the incidents, UMass Memorial Health has taken steps to reinforce staff education on identifying suspicious emails and has made additional security enhancements, including enabling multifactor authentication[14][19].

Current Status

The legal proceedings have been settled, and UMass Memorial Health continues to address the aftermath of the breach, focusing on improving security measures and supporting affected individuals. Affected individuals were encouraged to submit claims by specific deadlines to receive compensation or credit monitoring services[5].

Citations:

  1. https://www.mass.gov/news/umass-memorial-health-data-breach
  2. https://healthitsecurity.com/news/umass-memorial-health-center-resolves-healthcare-data-breach-lawsuit-with-1.2m-settlement
  3. https://www.hipaajournal.com/umass-memorial-health-proposes-1-2-million-settlement-to-resolve-data-breach-lawsuit/
  4. https://www.telegram.com/story/news/2023/05/16/umass-memorial-medical-center-of-worcester-settles-data-breach-suit/70220991007/
  5. https://ummhcclasssettlement.com
  6. https://www.cbsnews.com/boston/news/umass-chan-data-breach-massachusetts-moveit/
  7. https://www.wgbh.org/news/local/2023-05-31/lawmakers-alarmed-over-umass-memorial-healths-plans-to-close-birth-unit-in-leominster
  8. https://www.americanbar.org/groups/health_law/section-news/2023/august/umass-memorial-hc-settled-two-suits/
  9. https://www.databreaches.net/umass-memorial-health-settles-lawsuit-claims-from-2020-hack/
  10. https://www.campussafetymagazine.com/news/cyberattack-disrupts-hospitals-clinic-services-in-5-states/
  11. https://www.jdsupra.com/legalnews/umass-memorial-health-care-inc-files-9123181/
  12. https://www.boston.com/news/crime/2023/08/16/massachusetts-data-security-breach-moveit-umass-chan-medical-school/
  13. https://www.bostonherald.com/2023/08/15/massachusetts-medical-school-latest-to-fall-victim-to-moveit-hack-officials-say/
  14. https://www.telegram.com/story/business/information-technology/2021/10/28/hacker-accessed-medical-info-thousands-email-breach-umass-memorial-health-worcester/8580074002/
  15. https://www.wwlp.com/news/crime/the-biggest-health-care-data-breaches-you-should-know-about-in-massachusetts/
  16. https://www.darkdaily.com/2023/07/14/major-data-breaches-at-hospitals-clinical-laboratories-and-health-plans-continue-to-put-patient-data-at-risk/
  17. https://www.beckershospitalreview.com/cybersecurity/umass-memorial-medical-center-settles-data-breach-suit-for-1-2m.html
  18. https://www.ummhealth.org/umass-memorial-medical-center/patients-visitors/patient-resources/blackbaud-privacy-incident
  19. https://www.ummhealth.org/umass-memorial-medical-center/newsroom/press-releases/notice-our-patients-privacy-incident
  20. https://apps.web.maine.gov/online/aeviewer/ME/40/472311e2-fa16-4151-9a28-8b894b291514.shtml
Breach Submission Date Feb 28, 2022
Converted Entity Name UMass Memorial Health, Inc.
Converted Entity Type Business Associate
State MA
Individuals Affected 4,270
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes