Massachusetts General Hospital Data Breach Notification

PRIVACY OFFICE 399 Revolution Drive Suite 605 Somerville, MA 02145 T 855-726-1300 PrivacyOffice@mgb.org February 25, 2026 Dear I am reaching out on behalf of Massachusetts General Hospital (MGH), a member of Mass General Brigham, to inform you of a recent incident involving your Protected Health Information (PHI). We understand how important patient privacy is, and we want to assure you that we take this matter seriously and are committed to keeping you informed and supported throughout. On February 6, 2026, the Privacy Office became aware that on February 3, 2026, a member of our workforce inadvertently sent a document containing your PHI to the incorrect patient via Patient Gateway. We deeply regret this incident and want to assure you that we have taken appropriate action in response. The information involved included your name, date-of-birth, social security number, and diagnosis. As a Massachusetts resident, you are entitled to specific rights designed to protect yourself and your identity: • Access to Reports: You have the right to obtain any police report filed in connection with this incident. • Identity Theft Protection: If you are a victim of identity theft, you may file a police report and request a copy for your records. • Credit Security: You have the right to request that the credit reporting agencies place a security freeze on your credit file. To offer added reassurance, MGB is providing you 24 months of free credit monitoring and other services through Experian’s IdentityWorks℠. Please refer to the enclosed information sheet with instructions on how to place a security freeze on your credit report and how to activate credit monitoring and other services At MGH, we are committed to safeguarding the privacy and security of our patients’ data. MGH has taken all necessary steps to investigate this matter and implement measures to prevent similar incidents in the future. We continue to strengthen our safeguards and promote training, education, and accountability across our workforce to ensure patient information remains protected. At MGH, we are committed to delivering the highest standards of care and service. If you have any questions about the incident or any other matter involving your privacy, please do not hesitate to contact the Mass General Brigham Privacy Office at 855-726-1300, Monday through Friday, 8:30 a.m. to 5:00 p.m. Eastern Time. Please reference INC-7989-EN when you contact us.

We truly value the trust you place in us and remain committed to protecting your privacy. We are deeply sorry for any worry or inconvenience this incident may have caused. We hope the enclosed resources provide helpful guidance and reassurance. Sincerely, Privacy Manager Mass General Brigham Enclosures: Steps you can take to protect your identity Details on Experian IdentityWorks SM, including steps to activate the credit monitoring STEPS YOU CAN TAKE TO PROTECT YOUR IDENTITY Security Freeze. A security freeze prevents credit reporting bureaus from releasing information in your credit file. This can make it harder for identify thieves to open new accounts in your name. Please be aware, however, that placing a security freeze on your credit report may delay approval of any requests you make for new loans, credit, mortgages, or other services. You have the right to request a security freeze for free. To place a security freeze on your file, you must contact each of the three national credit reporting bureaus. You can contact them by phone, online submission, or mail. Equifax Information Services P.O. Box 105788 Atlanta, GA 30348 1-800-685-1111 www.equifax.com/ personal/credit-report-services/ Experian P.O. Box 9554 Allen, TX 75013 1-888-397-3742 www.experian.com/help TransUnion P.O. Box 2000 Chester, PA 19016 1-888-909-8872 www.transunion.com/ credit-help When requesting a security freeze, you will need to provide information to confirm your identity, such as your name, proof of your current address, your prior address if you’ve moved in the last five years, your date of birth, Social Security number, and other personal information. A security freeze request made by phone or online will be effective within one hour. Requests by mail take up to three business days from when the bureau gets it to be effective. After requesting a freeze, you will be given a unique personal identification number (PIN) and/or a password. Keep this in a safe place as you will need it to temporarily lift or fully remove the security freeze. The freeze will remain until you ask the credit bureau to temporarily lift or fully remove it. If the request is made online or by phone, a credit bureau must lift security freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request. There is no charge for placing, lifting, or removing a security freeze.

Review Your Account Statements. Carefully review statements sent to you from healthcare providers as well as from your insurance company to ensure that all of your account activity is valid. Carefully review your bank, credit card, and other account statements every month to ensure that your account activity is valid. Report any questionable charges promptly to the provider or company with which you maintain the account. Check Your Credit Report. Check your credit report to ensure that all your information is correct. You can obtain a free credit report once per year by visiting www.annualcreditreport.com or by calling 877-322-8228. If you notice any inaccuracies, report the dispute right away to the relevant credit reporting bureau. You can file a dispute on the relevant bureau’s website or by contacting them at the number listed on your credit report. You can also report any suspicious activity to your local law enforcement, in which case you should request a copy of the police report and retain it for your records. Fraud Alert. You have the right to request that the credit bureaus place a fraud alert on your file. A fraud alert tells creditors to contact you before opening any new accounts or increasing credit limits on your existing accounts. A fraud alert lasts for one year and is free of charge. You need to contact only one of the three credit bureaus to place a fraud alert; the one you contact is required by law to contact the other two. For Fraud Alerts, use the credit bureau contact information, provided above in the Security Freeze section. Consult the Federal Trade Commission. For more guidance on steps you can take to protect your information, you also can contact the Federal Trade Commission at www.ftc.gov/idtheft, or at 877-ID-THEFT (877-438-4338), or at the Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580.

Experian IdentityWorks℠ To help you detect the possible misuse of your personal information, we are providing you with a complimentary 24-month membership in Experian's IdentityWorks credit monitoring product at no cost to you. This product helps detect possible misuse of your personal information and provides you with superior identity protection services focused on immediate identification and resolution of identity theft. Activate EXPERIAN IDENTITYWORKSSM MEMBERSHIP Now in Three Easy Steps 1. Ensure that you enroll by: 05/29/2026 (After this date, your code will not work, and you will not be able to enroll) 2. Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/3bcredit 3. Provide your activation code: 92DZM5533 If you have questions or need an alternative to enrolling online, please contact Experian’s customer care team at 833-931-7577 by 05/29/2026 and provide engagement #: B160404 ADDITIONAL DETAILS REGARDING YOUR 24-MONTH EXPERIAN IDENTITYWORKS MEMBERSHIP The Experian IdentityWorks enrollment and services are provided at no cost to you. A credit card is not required for enrollment in Experian IdentityWorks. You have automatic and immediate access to fraud assistance through Experian. Contact Experian if you believe there was fraudulent use of your information. Once you enroll in Experian IdentityWorks, you will have access to the following additional features: ▪ Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.* ▪ Credit Monitoring: Actively monitors Experian, Equifax and Transunion files for indicators of fraud. ▪ Experian IdentityWorks ExtendCARE TM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired. ▪ $1 Million Identity Theft Insurance*: Provides coverage for certain costs and unauthorized electronic fund transfers. For additional actions you can consider taking to reduce the chances of identity theft or fraud on your account(s), refer to www.ExperianIDWorks.com/restoration. * Offline members will be eligible to call for additional reports quarterly after enrolling * Identity theft insurance is underwritten by insurance company subsidiaries or affiliates of American International Group, Inc. (AIG). The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions Commented [CG1]: This is not our document. This document is from Experian. DO NOT CHANGE.