Boston Medical Center said it fired a transcription service after a health care provider reported the records of about 15,000 patients at the hospital were posted without password protection on the vendor’s website used by physicians.
The records contained patients’ names, addresses, and medical information, including what drugs they were taking, but did not include Social Security numbers or financial information, said Jenni Watson, the hospital’s chief of staff.
Watson said Boston Medical Center sent letters to the patients notifying them of the data breach on the website operated by MDF Transcription Services and its subcontractors. She said the hospital had no reason to believe the information was viewed by outsiders or misused.
“We have no evidence that any unauthorized individuals actually looked at the records,” Watson said. “But we wanted to notify the patients involved.”
A representative of MDF did not return a phone call seeking comment.
In a statement, Boston Medical Center said doctors’ notes typically posted on the vendor’s site with password protection “could have potentially been accessed by non-authorized individuals.”
The hospital had been doing business with the vendor for about 10 years but it was not clear how long the physicians’ notes had been left unprotected on the site.
When the hospital discovered the breach on March 4, the statement said, “We immediately informed MDF and its subcontractors of this error and the website was removed from the Internet on the same day.”
The statement also said, “We take our responsibility to maintain our patients’ privacy very seriously and have notified all individuals who were affected by this vendor error. . . . As a result of this incident, we have terminated our relationship with MDF.”