Massachusetts General Hospital said Thursday that a data breach in its neurology department has exposed the private information of nearly 10,000 people.
“An unauthorized third party” accessed data in two computer programs used by researchers, Mass. General said.
The breach exposed data about participants in certain research programs, including their names, dates of birth, medical record numbers, and medical histories. Social Security numbers and financial information were not disclosed, according to the hospital.
The incident occurred in June. The hospital has begun notifying people who were affected.
“As soon as MGH discovered this incident, it took steps to prevent further unauthorized access,” spokesman Michael Morrison said in a statement.
“MGH also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution,” he said.
The hospital said it does not believe that participants should take any specific steps because of the breach. It provided a toll-free number, 866-904-6219, for individuals who have any questions or would like additional information about the incident.
“I think this goes to show you can never be too careful with patient data,” Nilesh Chandra, a Boston-based health care expert at PA Consulting, said in a statement. “Even for highly mature organizations, a privacy centric approach is required in all aspects of clinical and business operations to ensure that patient data is handled securely.”
The breach at MGH is the latest such incident involving Boston-area hospitals in recent years, including:
■ A 2012 breach at Beth Israel Deaconess Medical Center left thousands of patients’ details vulnerable. The hospital later agreed to pay a $100,000 state fine and improve the security of patient information.
■ In 2014, Boston Medical Center fired a transcription service after a health care provider reported that the medical records of about 15,000 patients at the hospital were posted without password protection on the vendor’s website used by physicians.
■ At McLean Hospital in Belmont, information about 12,600 people who donated their brains to research went missing in 2015. The psychiatric hospital agreed to pay $75,000 in a settlement with the state and to beef up computer security.
■ A 2016 breach at Massachusetts General exposed personal data of about 4,300 dental patients.
■ In 2018, Cambridge Health Alliance notified patients of a data breach that resulted in billing information for 2,500 people landing in the hands of an “unauthorized third party.”
Correspondent Adam Sennott contributed to this report.