BOSTON, MASSACHUSETTS - Brigham and Women’s Physician Organization, Inc. (“BWPO”), a member of Mass General Brigham Incorporated (MGB) is notifying individuals of an incident it recently became aware of involving some patients’ personal information. This notification is in follow-up to an incident which occurred at Harvard Pilgrim Health Care (Harvard Pilgrim) last year. [BWPO does not own or operate Harvard Pilgrim.]
On January 29, 2024, Harvard Pilgrim informed BWPO that they discovered a file from 2019 on a Harvard Pilgrim server that contained a limited amount of BWPO patient data. An employee of Harvard Pilgrim Health Care Institute, who was also a part-time employee of BWPO, backed up the contents of their laptop in 2019 to Harvard Pilgrim’s systems. Unfortunately, Harvard Pilgrim determined that this 2019 file had been accessed by an unauthorized third party in connection with a cybersecurity ransomware incident at Harvard Pilgrim. According to Harvard Pilgrim, on April 17, 2023, it discovered that it was the victim of a cybersecurity ransomware incident between March 28, 2023, and April 17, 2023, that impacted its systems.
This incident did not occur on BWPO or MGB systems or network.
Following initial notice in January 2024, BWPO engaged with Harvard Pilgrim to further understand the incident. Personal information disclosed may have included individuals’ name, address, phone number, date of birth, medical record number, health insurance number and limited clinical information (such as lab results, procedures, medications, and diagnoses related to care provided at BWPO sometime between January 1, 2017, and May 1, 2019). Not all data elements were involved for all individuals.
This incident did not involve Social Security Numbers, financial account numbers, or debit/credit card numbers for any individual.
Although the incident did not occur on BWPO systems, BWPO is fully committed to protecting the privacy and security of personal information. BWPO is notifying affected individuals and encourages affected individuals to review their statements to ensure account activity is valid. BWPO has taken appropriate steps to address this matter and prevent something like this from happening in the future.
BWPO regrets this matter occurred. Individuals who have any questions or would like further information about this matter can call the following toll-free number: 833-294-2020 during the hours of 8:00 a.m. to 4:00 p.m. EST, Monday through Friday, or can contact BWPO by email at bwhcHIPAA@partners.org.
##
