The medical information on some 9,900 individuals was accessed in a third-party healthcare data breach of the Department of Neurology at Massachusetts General Hospital (MGH). Data in two computer programs used by researchers were accessed by an unauthorized third party, according to a Boston Globe report.

“This makes one wonder if MGH outsourced the data or the research to a third party, perhaps to another country, thus also outsourcing their security,” said Colin Bastable, CEO of Lucy Security.

This is the second known third-party data breach at MGH. An earlier breach happened In 2016.

“The medical industry was the first to be phished, over 20 years ago, and it still leads the way in data incontinence,” said Bastable.

Medical and personal data on patients participating in the research programs were exposed last June.

“This breach is troubling. Medical information, including medical history, diagnoses and even genetic information, have been compromised,” said Dan Tuchler, CMO at SecurityFirst.

“We don’t have much experience yet in what kind of lasting damage can be caused with this very personal info, but this is surely going to grow in the future,” Tuchler added.

While future consequences are as yet unknown, criminals are finding uses for this highly personal information now.

Webroot’s Matt Aldridge

“This significant attack highlights why healthcare cybersecurity defenses must be robust. Patient data is highly valuable to hackers, who often use the stolen information to commit further crimes like identity theft,” said Matt Aldridge, solutions architect at Webroot, now a subsidiary of the Boston-based data security company Carbonite. “Health data is incredibly important to people and is far more personal than other information.”

While data breaches are common these days, medical data is supposed to be among the most protected by law. So how did MGH get breached twice by a third party?

“Unauthorized access is a common theme across most breach incidences; however, much like there’s a difference between a burglar disarming your home security system and leaving your front door wide open, there’s a distinction to be drawn between an advanced, coordinated attack and overprovisioned access rights to a data resource,” said Adam Laub, CMO at STEALTHbits Technologies.

The hospital said it doesn’t believe research participants need take any action at this time; however, this and numerous other health care breaches inside and outside of Boston open MSSP customers to new threats such as blackmail based on medical information, and medical vulnerabilities for physical attacks. It behooves MSSPs and other security providers to predict possible threats based on medical information and develop ways to mitigate those risks now.

Meanwhile, further protective measures against such attacks are in order.

“Concepts such as least-privilege access models across shared data repositories, removal of ‘standing privileges’ for administrative accounts across systems and applications, and a focus on authentication-based attack vectors that attackers use to impersonate users, escalate privileges and achieve persistence can have immediate and long-lasting impact on any organization’s security posture,” said Laub.