Framingham Heart Study Breach
On September 8, 2024, Boston University’s Framingham Heart Study (FHS) was breached by hackers, who gained access to the data of both living and deceased FHS participants. Information technology specialists from BU and FHS were able to intervene and quarantine the servers, stopping the attack as it was occurring. However, the hackers still copied, downloaded, and transferred files that contained study participants’ personal and medical information. FHS officials still have access to all its files and participants’ data. Information relating to all 15,448 participants was affected, and the breach involved the Social Security numbers of less than 2 percent of living study participants.
BU and FHS officials have been working closely with the National Institutes of Health (NIH), the agency directing the study, the US Department of Health and Human Services (HHS), and law enforcement agencies to gather information, analyze exactly what happened, and set up support resources for FHS participants. BU has sent notification letters to all FHS participants and is providing guidance for protecting against identity theft for all participants and free credit monitoring for participants with impacted Social Security numbers.
For more information about the incident, please read BU and Federal Investigation Underway into Hacking of Framingham Heart Study Data in BU Today.
Framingham Heart Study FAQ
What happened?
On Sunday, September 8, at 4:33 pm local time, an attacker gained unauthorized access to FHS server and subsequently compressed a subset of files located there and transferred a copy to an external system. Less than an hour after the file extraction began, BU and FHS quarantined the affected server, interrupting the breach. Unfortunately, the attacker was able to transfer the copied files from the server before the file server was quarantined.
What Data was breached, specifically ?
Information in the files included name, address, date of birth, telephone number, email address, sex, race, ethnicity, self-reported broad income and occupational categories, signature, and medical information. Information relating to all 15,448 study participants was affected.
Who was behind the hack, and where is the data now?
We do not know where the data are or who has them at this time. While we’re investigating who is behind the hack, there is no evidence to suggest that it was a Boston University employee.
How and when will people be notified?
If you participated in the study, your information was impacted. FHS sent out notifications to individuals outlining what of their information, specifically, was impacted. For additional questions not addressed in the notification please reach out to fhsescalation@bu.edu or 508.532.5293.
Can you tell us more about the investigation?
BU and FHS followed industry best practices in investigating this incident. Protecting our participants and ensuring that the systems were secured against further data loss after the incident are our top priorities. BU partnered with an outside security firm with deep expertise in forensics to investigate the incident to ensure we identified all affected participants and data impacted by the breach and that no other security concerns were present with FHS. Those efforts, along with setting up credit monitoring for those participants with impacted Social Security numbers and working with appropriate federal agencies and law enforcement, were expedited to notify participants as soon as possible.
What has FHS and BU done so far, in response?
FHS information technology officers with BU Information Security worked to secure FHS systems, change all passwords, and conduct an investigation to verify the attackers were no longer in the FHS system. The University and FHS officials have also notified law enforcement, as well as our study collaborators at the NIH/NHLBI, and HHS.
In addition, BU has hired an external forensic firm to identify how the attack occurred to prevent it from happening again and an external consultant to reinforce protections of participant data.
Do the affected families need to do anything at this point?
FHS participants may also take advantage of the free annual credit report available from each credit reporting agency by visiting www.annualcreditreport.com. We encourage the study participants to remain vigilant and promptly report any suspicious activity to the proper law enforcement authorities.
Individuals with impacted Social Security numbers will receive credit monitoring services, which will alert them to any unusual activity. These individuals will need to sign up for coverage, following instructions provided in their notification letters.
What is FHS and BU doing to put in new safeguards to prevent this from happening again?
FHS has already addressed the security issues and concerns identified by our outside forensic firm, and added additional security software to its systems to detect and prevent future incidents. In addition, FHS has hired an outside vendor to conduct a thorough security assessment to ensure our protections meet or exceed industry standards.
Do you have a sense of why FHS was targeted and whether it could happen again?
We don’t know why FHS was targeted. Data breaches are upsetting, and we understand this may be unsettling news for participants. We are doing everything we can to prevent a recurrence and to enhance protection of the data. BU and FHS are adding additional security measures and monitoring capabilities to further reinforce protections of the participants’ data.
Has this happened with other health studies at other colleges and universities? Is there any pattern?
Yes, this is a common occurrence across all industries these days.