Massachusetts Baystate Health had a phishing attack which impacted the protected health information (PHI) of 12,000 patients.
A few employees had their email accounts compromised between February 7 to March 7, 2019. When Baystate Health became aware of the phishing attacks, the employees’ email accounts were properly secured. Investigators of a third-party computer forensics firm reviewed the compromised email accounts and found they contained patient information. The following information were included: patients’ names, birth dates, medications, diagnoses and treatment details. Some patients also had their Social Security numbers, health insurance details and Medicare numbers included.
Baystate Health sent notification letters to all the patients who had their PHI potentially compromised on April 5 and offered free credit monitoring and identity theft protections services for one year to the Patients who had compromised their Social Security numbers. There’s no proof found that is indicative of the access, duplication or misuse of patient data by the attackers.
It is recommended that impacted patients should monitor their explanation of benefits statements and their healthcare providers’ statements to check if there are medical services charged to them but they have not received them.
All the compromised email accounts of Baystate Health employees were password reset. There were also extra security controls applied to keep unauthorized persons from accessing the email accounts, such as email logging and monitoring to quickly identify future email account breaches. Employees received further HIPAA training on security awareness to help identify and stop phishing emails.
The breach report has been submitted to the Department of Health and Human Services’ Office for Civil Rights but there’s no posting about it yet on OCR’s breach portal. Therefore, the exact number of patients affected is not yet known.