Brigham and Women’s Physician Organization reports third party data breach

Brigham and Women's Physician Organization (BWPO) is reporting a data breach that affected some of its patients' personal information. The breach is caused by a cyberattack targeting several major health insurers in Massachusetts during 2023.

Specifically, on January 29, 2024, BWPO was informed by Harvard Pilgrim Health Care that a file stored on a Harvard Pilgrim server from 2019, which contained limited patient data from Brigham and Women's, was compromised during a data breach.

This issue traces back to a cybersecurity incident involving ransomware at Harvard Pilgrim Health Care, identified on April 17, 2023. The timeline of the attack was between March 28, 2023, and April 17, 2023. An investigation revealed that an employee, who worked part-time at both Harvard Pilgrim Health Care Institute and BWPO, had backed up data from their laptop to Harvard Pilgrim's systems in 2019. This backup, which included a file from 2019, was later found to have been accessed by an unauthorized party during the 2023 ransomware attack.

The exposed data encompassed personal information of patients including:

• names,
• addresses,
• phone numbers,
• dates of birth,
• medical record numbers,
• health insurance numbers,
• limited clinical details (including lab results, procedures, medications, and diagnoses)

The number of affected individuals is not disclosed.

The data spans a period from January 1, 2017, to May 1, 2019., BWPO claims that Social Security Numbers, financial account numbers, or debit/credit card numbers were not compromised.