Getty Images

MassHealth Members Impacted by Health Data Breach

A third-party vendor's data breach is impacting over 2,000 MassHealth patients' PHI.

Standard Modern Company, a third-party vendor that works with MassHealth, announced a recent data breach that is impacting some protected health information (PHI) of Massachusetts residents. 

Standard Modern Company (SMC) is a New Bedford-based vendor that provides mailings for MassHealth members on behalf of the Massachusetts Executive Office of Health and Human Services (EOHHS.)  

SMC reported the data breach to the US Department of Health and Human Services Office for Civil Rights on July 20.  

The breach affects 2,707 individuals, according to the OCR.  

“On May 24, 2021, SMC was notified that some MassHealth members received notices that were mailed between May 10, 2021, and May 18, 2021, that contained personal information about other members,” according to the security incident notice published on its website.  

“Upon learning of the incident, SMC immediately stopped mailing to MassHealth members and began an internal investigation to determine the root cause of the incident,” the notice states. “The investigation identified that an internal program error caused the printing of incorrect addresses on a limited number of notices. SMC suspended use of this internal program and implemented additional safeguards and procedures to prevent the issue from reoccurring. SMC has since mailed the correct information to affected MassHealth members.” 

The data breach included members’ names, identification numbers, the last four digits of the members’ Social Security numbers, and dates of birth.  

The notice states there is “no evidence that any information was misused.”  

“After beginning our investigation of this issue, these mailings to MassHealth members were halted until the affected members were identified and the root cause of the incident was determined,” it states. “We stopped using the program that caused the error and implemented additional safeguards and procedures to further strengthen mailing procedures and to prevent the issue from reoccurring. In addition, we worked with a leading privacy and security law firm to aid in our investigation and response.” 

SMC has an assistance line set up for impacted individuals. Those in need of additional information can call 800-405- 6108, from 8am to 8pm Monday through Friday. Representatives are available for 90 days from the date of this notice.  

“Our investigation has given us no reason to believe that information has been further used in an impermissible manner,” the notification concludes. “Nevertheless, there are some things anyone can do if they are concerned about the potential misuse of personal information. It is always recommended that individuals regularly review account statements and report any suspicious activity to financial institutions.”  

Next Steps

Dig Deeper on Cybersecurity strategies