Brigham and Women’s Hospital (BWH), a member of Mass General Brigham, recently notified patients of a privacy incident involving unauthorized access to Protected Health Information (PHI). A workforce member accessed patient records without a work-related reason, potentially exposing highly sensitive medical and personal data.
Brigham and Women’s Hospital’s Data Breach Investigation
Brigham and Women’s Hospital (BWH), part of the Mass General Brigham healthcare system, informed patients of a recent privacy incident involving unauthorized access to Protected Health Information (PHI). According to the notification, the Mass General Brigham Privacy Office became aware on December 18, 2025, that a workforce member accessed certain patient records without a valid work-related reason.
The unauthorized access occurred on dates between December 10, 2024, and December 18, 2025. This type of incident is commonly referred to as an “insider breach,” where an employee or workforce member improperly accesses patient information. Unlike external cyberattacks, insider incidents involve individuals who may already have authorized system access but misuse that access.
Healthcare providers are subject to strict federal and state regulations designed to protect patient privacy, including laws governing the confidentiality of medical records and Social Security numbers. Unauthorized access to PHI is a serious matter because medical records often contain a comprehensive profile of an individual’s identity, health history, and financial data.
According to the notice, BWH deeply regrets the incident and stated that it has taken appropriate action in response. The hospital indicated that it has investigated the matter and implemented measures to prevent similar incidents in the future. BWH also emphasized its ongoing commitment to strengthening safeguards, promoting workforce training, and enhancing accountability to protect patient information.
The information involved in this incident included highly sensitive personal and medical data. Exposure of such information can create significant risks. Medical identity theft, financial fraud, and misuse of Social Security numbers are potential consequences when PHI is improperly accessed. Even if there is no immediate evidence of misuse, individuals may face long-term concerns about how their information could be used.
To provide additional support, Mass General Brigham is offering 24 months of free credit monitoring and related identity protection services through Experian’s IdentityWorks℠. The notice also outlines specific rights available to Massachusetts residents, including the right to obtain police reports related to the incident and the right to request a security freeze on credit files.
Insider incidents can be particularly troubling for patients because they involve trusted personnel within a healthcare organization. Patients share sensitive health information with the expectation that it will remain confidential. When that trust is compromised, it can lead to emotional distress and uncertainty.
If you received a notification from Brigham and Women’s Hospital, it is important to understand both the protective steps available to you and your potential legal rights. When healthcare providers fail to adequately safeguard PHI, affected individuals may have options to seek accountability and compensation through legal action.
When Did This Breach Occur?
The Privacy Office became aware of the incident on December 18, 2025.
The unauthorized access occurred on dates between December 10, 2024, and December 18, 2025.
What Information Was Breached?
According to the notification, the following information was involved:
-
Name
-
Date of birth
-
Address
-
Phone number
-
Social Security number
-
Diagnosis information
-
Medications
-
Order reports
-
Visit information
This combination of identifying and medical data may increase the risk of identity theft and medical fraud.
What You Can Do
If you received a notification from Brigham and Women’s Hospital, consider taking the following steps:
-
Enroll in the complimentary 24-month Experian IdentityWorks℠ credit monitoring service.
-
Review your credit reports and financial accounts for unfamiliar activity.
-
Consider placing a security freeze on your credit file with the major credit bureaus.
-
Obtain and keep copies of any police reports if identity theft occurs.
-
Monitor explanation of benefits (EOB) statements for medical services you did not receive.
Medical identity theft can take time to detect. Staying vigilant and documenting any suspicious activity can help protect you and your family.
You may also want to explore your legal options. Unauthorized access to PHI can constitute a serious breach of privacy rights, and affected individuals may be entitled to compensation.
File a Data Breach Lawsuit Against Brigham and Women’s Hospital
If you received notice that your Protected Health Information was accessed without authorization, you may have the right to pursue compensation through a data breach lawsuit.
Healthcare institutions have a duty to protect patient information and ensure that workforce members access records only for legitimate purposes. When that responsibility is not upheld, patients may suffer harm, including emotional distress, financial risk, and loss of privacy.
A class action lawsuit can allow individuals affected by the same incident to band together to seek accountability and potential compensation. You do not have to face this alone. Understanding your rights is the first step toward protecting yourself and holding organizations accountable.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team
