MassHealth, part of the Massachusetts Executive Office of Health and Human Services, has notified individuals that a document containing their protected health information was inadvertently made public on a state website. The document remained accessible online for nearly five months before the exposure was discovered and corrected. Government agencies that handle Social Security numbers and health information on behalf of the public have a responsibility to ensure that internal documents never become publicly accessible, and a lapse of this length raises real questions about the safeguards MassHealth had in place.
MassHealth’s Data Breach Investigation
According to the notification letter sent to affected individuals, MassHealth became aware in May 2026 that a document had been posted to a page within the mass.gov website. That document contained personal information belonging to affected individuals, including their names, MassHealth ID numbers, and Social Security numbers, and it may have also contained information about payment for health care services and about an accident the individual experienced. MassHealth’s investigation determined that the document had actually been posted on December 22, 2025, and remained live on the site until it was taken down on May 14, 2026, meaning it was publicly accessible for nearly five months.
MassHealth stated that although there were no direct links to the page from elsewhere on mass.gov, the document was findable through ordinary web search, meaning anyone who happened to search for the right terms could potentially have located and viewed it during that window. After discovering the exposure, MassHealth removed the document, confirmed it was no longer indexed by major search engines or archived by the Internet Archive, and opened a formal investigation into how the posting occurred.
Exposures caused by misconfigured or mistakenly published web content are a distinct and increasingly common category of data incident, separate from the hacking intrusions that make up many other breach notifications. Because the information is technically public rather than stolen through an intrusion, these incidents can be harder to detect quickly, since there is no obvious intrusion alert to trigger a response; the exposure is often only found when someone happens to come across the material or a routine audit catches it. That is consistent with the multi-month gap here between when the document was first posted and when MassHealth ultimately discovered and removed it.
The exposure of Social Security numbers is particularly significant because it is one of the most valuable data points to identity thieves, who can use it in combination with a name and date of birth to open new credit accounts, file fraudulent tax returns, or access other financial services in a victim’s name. Health-related information such as payment or accident details carries its own risks as well, since it can be used in targeted phishing schemes where a scammer references real details from the exposed document to appear legitimate. MassHealth has stated it is reviewing its internal procedures and establishing new safeguards to reduce the risk of a similar incident occurring again.
When Did This Breach Occur?
The document was first posted to mass.gov on December 22, 2025. MassHealth became aware of the exposure in May 2026 and removed the document on May 14, 2026. Notification letters to affected individuals followed shortly after.
What Information Was Breached?
The exposed document included affected individuals’ names, MassHealth ID numbers, and Social Security numbers. It may also have contained information about payment for health care services and about an accident the individual experienced. MassHealth has not disclosed the total number of individuals affected.
What You Can Do
If you received a notification letter from MassHealth about this incident, consider taking the following steps:
- Request your free annual credit report at AnnualCreditReport.com and review it for unfamiliar accounts.
- Enroll in the complimentary 24-month Experian IdentityWorks credit monitoring offered in the notification letter.
- Place a security freeze on your credit reports with Equifax, Experian, and TransUnion, which is free under Massachusetts law.
- Watch for phishing attempts that reference details from your MassHealth account or medical history.
File a Data Breach Lawsuit Against MassHealth
Government agencies that collect Social Security numbers and health information from the public are expected to keep that information secure, not accidentally publish it online for months at a time. If your personal information was exposed in this MassHealth incident, you may have legal options.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.