Boston University

12/14/2024 | News release | Distributed by Public on 12/15/2024 06:49

BU and Federal Investigation Underway into Hacking of Framingham Heart Study Data

BU and Federal Investigation Underway into Hacking of Framingham Heart Study Data

BU officials interrupted the cyberattack, but some data was breached; all study participants have been notified and a credit reporting service is being made available to assist them

BU officials say the hackers gained access to the study's server, but that information technology specialists from BU and Framingham Heart Study were able to intervene and quarantine the servers, stopping the attack as it was occurring. Photo via Unsplash/Markus Spiske

University News

BU and Federal Investigation Underway into Hacking of Framingham Heart Study Data

BU officials interrupted the cyberattack, but some data was breached; all study participants have been notified and are being assisted

December 14, 2024
0
Twitter Facebook

Boston University's renowned Framingham Heart Study (FHS) was breached by hackers, who gained access to the data of participants-both living and deceased-of the country's longest running, multigenerational heart study.

BU officials say the hackers gained access to the study's server, but that information technology specialists from BU and FHS were able to intervene and quarantine the servers, stopping the attack as it was occurring. However, the hackers still copied, downloaded, and transferred files that contained study participants' personal and medical information, BU officials said. Information relating to all 15,448 participants was affected; officials confirmed that the breach involved the Social Security numbers of less than 2 percent of the participants.

The incident happened on Sunday, September 8. Since then University and FHS officials have been working closely with the National Institutes of Health (NIH), the agency directing the study, the US Department of Health and Human Services (HHS), and law enforcement agencies to gather information, analyze exactly what happened, and set up support resources for FHS participants.

BU has sent notification letters to all FHS participants and is providing guidance for protecting against identity theft for all participants and free credit monitoring for participants with impacted Social Security numbers. Further information is contained in the notification letters.

"I think, for all of us at the Framingham Heart Study, this has been really shocking," says Joanne Murabito, a professor of medicine at the BU Chobanian & Avedisian School of Medicine and FHS co-principal investigator. "This has never happened before. The original cohort had participated for 75 years, and their children and grandchildren enrolled in the study. In addition, there are two groups of participants from diverse backgrounds that enrolled in the 1990s and the early 2000s. This study really belongs to these participants, and so the confidentiality and safety of their data is paramount."

Murabito adds: "We're in this together, and we want to provide as much information as we can."

The FHS breach is part of a growing trend of data hacks within the healthcare industry. No ransom demand was made in this incident, but according to a study published in the scientific journal JAMA, "the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients."

Christopher Sedore, BU's vice president for Information Services & Technology and chief information officer, says the Framingham data has not been lost: while certain data was accessed and downloaded from the network, FHS officials still have access to all its files and participants' data.

The Framingham Heart Study was founded in 1948 as a concerted research effort into cardiovascular disease. More than 76 years later, FHS, under the direction of the NIH's National Heart, Lung, and Blood Institute (NHLBI), has followed the progression of the disease through three generations of participants and two minority cohorts. Boston University joined as a partner in 1971.

Murabito, along with officials at BU, FHS, and other federal agencies involved in the study, say they have been working, and are continuing to work, diligently to shore up digital security measures and create resources for the participants moving forward.

"We have been working very closely with Boston University, and federal public health and law enforcement agencies, to understand how this happened, to put additional safeguards in place so this does not happen again, to understand the full impact this may have on our participants," Murabito says. "We're working to mitigate any adverse impact it may have and to provide as much support as we can and answer any questions that our participants may have."

Following is a breakdown of what happened and what steps are being taken now.

Q&A

with Chris Sedore

BU Today: What happened, exactly?

Sedore: On Sunday, September 8, at 4:33 pm local time, an attacker gained unauthorized access to an FHS server and subsequently compressed a subset of files located there and transferred a copy to an external system. Less than an hour after the file extraction began, BU and FHS quarantined the affected server, interrupting the breach. Unfortunately, the attacker was able to transfer the copied files from the server before the file server was quarantined.

BU Today: What data was breached, specifically?

Sedore: Since 1948, the Framingham Heart Study (FHS), under the direction of the National Heart, Lung, and Blood Institute, has been identifying common factors that contribute to cardiovascular disease (CVD) by collecting medical information from study participants.

Thanks to those participants, we now know CVD is caused by certain risk factors, such as smoking, obesity, and high blood pressure or cholesterol.

Information in the files may have included name, address, date of birth, telephone number, email address, sex, race, ethnicity, self-reported broad income and occupational categories, signature, and medical information. Information relating to all 15,448 study participants was affected.

In a limited number of cases the files also included social security numbers. Less than 2 percent of living study participants had their social security numbers impacted. Some participants had asked FHS to remove their social security numbers from FHS records, and those participants did not have that information in the files.

BU Today: Who was behind the hack, and where is the data now?

Sedore: We do not know where the data are or who has them at this time. While we're investigating who is behind the hack, there is no evidence to suggest that it was a Boston University employee.

BU Today: How and when will people be notified?

Sedore: If you participated in the study, your information was impacted. BU sent out notifications to individuals outlining what of their information, specifically, was impacted.

Because of the unique nature of FHS, BU is required to collaborate with the NIH/NHLBI and HHS on the notification process. The notification includes a point of contact should the participants have additional questions not addressed in the notification.

BU Today: Can you tell us more about the investigation?

Sedore: BU and FHS followed industry best practices in investigating this incident. Protecting our participants and ensuring that the systems were secured against further data loss after the incident are our top priorities. BU partnered with an outside security firm with deep expertise in forensics to investigate the incident to ensure we identified all affected participants and data impacted by the breach and that no other security concerns were present with FHS. Those efforts, along with setting up credit monitoring for those participants with impacted Social Security numbers and working with appropriate federal agencies and law enforcement, were expedited to notify participants as soon as possible.

BU Today: What has BU done so far, in response?

Sedore: BU Information Security worked with FHS information technology officers to secure FHS systems, change all passwords, and conduct an investigation to verify the attackers were no longer in the FHS system. The University and FHS officials have also notified law enforcement, as well as our study collaborators at the NIH/NHLBI, and HHS.

In addition, BU has hired an external forensic firm to identify how the attack occurred to prevent it from happening again and an external consultant to reinforce protections of participant data.

BU Today: Do the affected families need to do anything at this point?

Sedore: At this time, we are not aware of any reports of identity fraud or improper use of information as a direct result of this incident. FHS participants may also take advantage of the free annual credit report available from each credit reporting agency by visiting www.annualcreditreport.com. We encourage the study participants to remain vigilant and promptly report any suspicious activity to the proper law enforcement authorities.

Individuals with impacted Social Security numbers will receive credit monitoring services, which will alert them to any unusual activity. These individuals will need to sign up for coverage, following instructions provided in their notification letters.

BU Today: What is BU doing to put in new safeguards to prevent this from happening again?

Sedore: FHS has already addressed the security issues and concerns identified by our outside forensic firm, and added additional security software to its systems to detect and prevent future incidents. In addition, FHS has hired an outside vendor to conduct a thorough security assessment to ensure our protections meet or exceed industry standards.

BU Today: Do you have a sense of why FHS was targeted and whether it could happen again?

Sedore: We don't know why FHS was targeted. Data breaches are upsetting, and we understand this may be unsettling news for participants. We are doing everything we can to prevent a recurrence and to enhance protection of the data. BU and FHS are adding additional security measures and monitoring capabilities to further reinforce protections of the participants' data.

BU Today: Has this happened with other health studies at other colleges and universities? Is there any pattern?

Sedore: Yes, this is a common occurrence across all industries these days.

Explore Related Topics:

  • Share this story
  • 0 Comments Add

Share

BU and Federal Investigation Underway into Hacking of Framingham Heart Study Data

Copy URL: Copy

  • Molly Callahan

    Senior Writer

    Molly Callahan began her career at a small, family-owned newspaper where the newsroom housed computers that used floppy disks. Since then, her work has been picked up by the Associated Press and recognized by the Connecticut chapter of the Society of Professional Journalists. In 2016, she moved into a communications role at Northeastern University as part of its News@Northeastern reporting team. When she's not writing, Molly can be found rock climbing, biking around the city, or hanging out with her fiancée, Morgan, and their cat, Junie B. Jones. Profile

Comments & Discussion

Boston University moderates comments to facilitate an informed, substantive, civil conversation. Abusive, profane, self-promotional, misleading, incoherent or off-topic comments will be rejected. Moderators are staffed during regular business hours (EST) and can only accept comments written in English. Statistics or facts must include a citation or a link to the citation.

Post a comment. Cancel reply

Your email address will not be published.Required fields are marked *

Comment* view guidelines
Name *
Email *
Submit Comment

Latest from BU Today