Latest cyber news: Data breach at top hospital MGH
Your weakest cyber security leak may be outside your own network. In another demonstration of how an organization can face significant financial and reputational exposure from another’s failure of cyber security, Massachusetts General Hospital announced on this week that one of its vendors suffered a cyber breach — on the vendor’s own network — that exposed more than 4,000 records of MGH patients. Some of the compromised information may have included patient names, dates of birth and Social Security numbers.
Because of the vendor’s breach, MGH has had to notify the affected patients and has set up a call center to address their concerns. At the behest of law enforcement officials, MGH waited three months before notifying the victims of the breach. The vendor took actions to improve its cyber security after being informed of the breach.
This breach illustrates how an organization that has arguably done nothing wrong can still be liable for breaches of confidential information. It also shows the importance of vendor management.
The MGH breach highlights an especially important issue for HIPAA-regulated organizations, because of the significant obligations imposed on those who provide access to protected health information – and because of the substantial fines that can be imposed even when a breach is quite small.
MGH probably can look to the vendor for indemnification — but many organizations can’t, or their vendors may not have the financial strength to satisfy their indemnification obligations. And if a regulator investigates, an organization can face a fine much more substantial than the breach itself.
Gallagher has proprietary tools that help clients address the cyber risk they face via their vendors. Our team would be happy to discuss this with you at your convenience.
About the Author
John Doernberg is an Area Vice President at Arthur J. Gallagher. He works with inside and outside counsel as a Claims Advocate for Gallagher clients on policy negotiation and the handling and settlement of claims. and is a resource on privacy, information security and risk management issues. Prior to becoming an insurance broker in 1995, he practiced corporate law in New York and Boston for 12 years.