Boston Medical Center, a 496-bed academic medical center in Boston, discovered a data breach on March 3 when the records of 15,000 patients were posted online by a vendor. The records, which contained patients’ names, addresses, and medical information, including what drugs they were taking, were potentially compromised as a result of a website posting by the medical center’s transcription service vendor, MDF Transcription. The vendor’s website, which was lacking password protection, was accessed by physicians to record and access patient notes.
Upon learning of the breach, Boston Medical Center sent breach notification letters to affected patients. According to The Boston Globe, the medical center’s chief of staff, Jenni Watson, indicated that it was unaware of any unauthorized individuals actually looking at the records. Also, the records did not contain patients’ social security numbers or financial information.
MDF Transcription had been a subcontractor of BMC for ten years; however, as a result of this breach, BMC has terminated this relationship.
The security controls at MDF were obviously weak based on the lack of password protection. While it is common for small business associates to have weak controls, this is such an obvious deficiency that it highlights Boston Medical Center’s lack of even the most rudimentary due diligence on their vendors.
Two take-aways from this situation is that business associates, especially small ones, need to become more serious about HIPAA compliance. For covered entities, simply signing a HIPAA Business Associate agreement is not always sufficient and some scrutiny/diligence with vendors is appropriate.
