This month, independent non-profit news outlet The Berkshire Argus published an investigative report on data leaks at Berkshire Health Systems. The company is a big fish in the small pond of the westernmost region of Massachusetts. It’s both the largest healthcare provider and largest employer in a region that’s faced steady population decline since its industrial economy withered away near the end of the 20th Century. Bill Shein is the founder and editor of The Berkshire Argus. He sat down with WAMC to explain what he discovered about the Berkshire Health System data leak, the company’s response, and the unanswered questions about how the privacy of Berkshire County patients will be protected moving forward.
SHEIN: Anyone who lives in Berkshire County has had medical services provided by Berkshire Health systems. They have more than 4,000 employees, they are the, by far the largest provider of healthcare services. So, full disclosure, I've been a patient of Berkshire Health Services and been to the hospitals and the private practice, my primary care physician is part of BHS for the last 25 years. So, it's a large institution, about 4,000 employees. They have rolled up a lot of other practices and services in recent years, so they really are the dominant player. So, you can't really avoid Berkshire Health Systems. And so, in that sense, it's very important how they operate, how they manage the business. It's very important. So, this story came about- I'd heard from a few people that they had received letters about a data breach. And these days, everybody gets letters about data breaches. They're pretty widespread and common, both for medical information, but also for personal financial information. HHS, the U.S. Department of Health and Human Services, tracks any violations of or any data breaches that intersect with HIPAA requirements, HIPAA privacy and data security requirements. And last year, there were 180 million people whose information was affected by a data breach. And that’s- I should just say, that's not necessarily unique individuals, but they have 180 million instances where somebody's protected medical information was revealed.
WAMC: So, for Berkshire County, there's what, thousands of patients in the county who have their data going into the BHS system?
That's right, yeah, across the three hospitals- So, Fairview Hospital in Great Barrington, Berkshire Medical Center here in Pittsfield, and the North Adams Hospital that that recently reopened as a critical access hospital, plus all of the outpatient services, all of the different clinics, urgent care centers, private practices that are rolled up into BHS. So, the last number that I saw was about 130,000 patients, kind of on a rolling three-year average from fiscal year 2022, and hundreds of thousands more outpatient visits to the hospitals, tens of thousands to the ERs each year, both at Fairview and BMC. So, quite a large number.
So, you find out about these letters going out about a data leak, you start looking into these public resources to see what's happening as far as the regulators around BHS- What do you start to find about this leak?
So, because of the location here, BHS has patients from Massachusetts, but also from Connecticut, from New York, from New Hampshire, and each state has its own data privacy laws, some of which cover financial information, some of which cover personal medical information that overlap with federal requirements. So, I looked around at nearby states to see if they had had any filings. In most cases, states have requirements that, whether it's with the Attorney General's office or a Consumer Affairs Bureau, to file a notification- what kind of information has been disclosed, what form it took, was it a hack, was it, like in the case of this breach, an employee who improperly accessed information? How many people were affected, what information was affected? And based on the number of people, there are different requirements. HHS has requirements when HIPAA privacy violations happen, if there are more than 500 people, it requires a notification within 60 days to HHS, also to the affected patients, and also notifications to major media if there's more than 500 people impacted in a jurisdiction or in a state. So, I looked around at these other states and was able to start pulling together documents that have been filed in New Hampshire and Connecticut, and follow those two to what was filed with HHS.
So, you have these documents now from multiple states impacted by the data leak from BHS- What are you finding in those statements about what actually was, what emitted from BHS to the wider world?
The basics of the story are that they said that they received a report the beginning of June this year of an employee who had been improperly accessing patient information- So, not authorized to look at information or look at the number of patients that this employee did. They said that the improper disclosure probably went back as far back as 2014 when the employee was first hired at Fairview Hospital. The filings with different jurisdictions had some different numbers. BHS told HHS that it was 1,000 patients. A filing with the state of Connecticut said it was 654 patients. They made clear they didn't believe it was any sensitive financial information or identifying information like social security number, but it was included visit notes- Your name, other information that was personally identifiable. So, putting those together, I went to BHS and asked them about it, and they had made an earlier statement to the press. It didn't share very much information. But the basic questions people want to know- Where did this employee work over those years, how many people had been affected, and what would happen going forward? And BHS said they have systems in place to protect privacy, they had tightened them up in the wake of this, but they didn't really provide any additional information.
What's at stake here? I mean, the idea of personal information coming out of this effectively, healthcare monopoly in Berkshire County- I mean, it suggests that there's larger questions about how folks in the Berkshires are being served by this crucial and somewhat dominant company.
Yeah, it's a great question, because they are so dominant and because so many different elements of healthcare are rolled up into BHS, and they use an electronic medical record system that combines all of those practices which makes delivering good healthcare more efficient. And you want your providers to know your background- But what that also means is a lot of questions about privacy practices across all of these different locations, what systems are in place to make sure that they are keeping track of who's accessing that information. And that is one of the requirements under the HIPAA regulations, is that you have to have systems in place to audit access of employees, of medical information, and a way to see if it's being accessed improperly. So, I think that, to your question, that raises some interesting questions about how well Berkshire Health Systems has done over the years in monitoring who is accessing information, if, in this case, it was someone who had been doing it for a decade and they weren't aware of it.
Now, as far as the aerial view here, do you think of this sort of- Are there greater regulations that could come to the fore? Do you think there should be more scrutiny over the company? What do you think a constructive step forward would be for both the county and the company based on your findings?
Well, I think it's a couple of things. What's in the mix right now in a few states, including Massachusetts, is, number one, to redefine what personal information is. There are requirements under HIPAA that medical information, if it's accessed improperly, that they provide breach notification. But Massachusetts is interesting. We define personal information- It does not include health information unless it's paired with a social security number or a bank account. So, in fact, in Massachusetts, notification is not really required, though Berkshire Health Systems did send notification to the Attorney General's Office. So, there's legislation that's been around for a couple of sessions in Massachusetts to tighten that up so personal information includes, like it does in other states, can be just medical information, even if it doesn't include social security number. I think the broader debate seems to be here and elsewhere about the model that we've used, which is this breach and response, which is, when there's a breach, there's a well-worn path now through regulation in each state and nationally to provide notification to various regulators, provide notification to patients or people whose financial information has been affected. Maybe provide notification to consumer credit reporting agencies in those cases. The movement seems to be, perhaps we need to rethink whether or not or how information is accessed at all, and which one of our private information is provided to companies and how it's protected. I think in this case, really the open questions are, how large was this data breach, the questions about whether or not they have effective systems in place to audit employee access, what the final numbers will look like. They have an ongoing investigation, though, as you saw in the reporting, one of the key questions is, how far back in their systems are they going to look? And they told the Department of Health and Human Services that it would be an undue burden for them to look back earlier than October of 2022, even though they acknowledged that an employee had accessed information improperly going all the way back to 2014. So, I think those are important questions, and whether or not they'll provide some insight into why they don't think it's important to look back a little bit further and to provide the answers to questions about their overall privacy policies, and if they're properly auditing employee access.
Bill, final words, anything I've not thought to ask you want to make sure folks understand about this story?
Well, right now, the numbers of people affected, compared to some of the much larger data breaches, are relatively small, between 650 and 1,000- Though BHS has acknowledged, as their investigation continues, the numbers will probably increase. So that's some important context. You can go on the websites of many of these regulators, where they post every day the breaches that are happening of financial information, of protected health information, and there are a lot. And I think all of that together raises some questions about whether a new approach is needed. And in this particular case, it'll be interesting to see in the coming weeks and months what the full scope of this is, and if there's other information about privacy practices here in the county that that we'll learn about.
Bill, thank you so much.
My pleasure. Thank you, Josh.
In a statement, Berkshire Health Systems told WAMC that the company “takes privacy seriously, and we have taken appropriate actions, including optimization of privacy monitoring software, to ensure this type of incident does not occur again.”
