PHI of 12,000 Baystate Health Patients Exposed Due to Phishing Attack

A phishing attack on Baystate Health in Massachusetts has exposed the protected health information (PHI) of almost 12,000 patients.

The email accounts of a number of employees were compromised from February 7 to March 7, 2019. Baystate Health identified the phishing attacks during the same time period and, in each case,  the compromised email accounts were promptly secured. A third-party computer forensics company investigated the breach and analyzed the emails and email attachments in the compromised email accounts to determine whether they contained PHI and whether they had been accessed by the attackers.

The investigation confirmed that the following patient information was contained in the email accounts: Names, birth dates, diagnoses, treatment data and medications. The Social Security numbers, Medicare numbers and health insurance data of some patients were also included in emails and email attachments.

Baystate Health mailed breach notification letters to all patients whose PHI was potentially compromised on April 5. Patients who had their Social Security number compromised were offered free credit monitoring and identity theft protection services for 12 months as a safety precaution. No proof was found to indicate that the attackers viewed, misused or copied patient data.

All affected patients have been instructed to check the explanation of benefits statements from their insurance providers and statements from healthcare providers for medical services that have been billed but not received.

Baystate Health performed a password reset on all compromised accounts to prevent further access and has implemented further security measures to prevent the unauthorized accessing of its email accounts.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Email logging and log monitoring have been enhanced to make sure that any further breaches are detected rapidly. Employees have also been provided with additional HIPAA security awareness training to help them identify phishing emails.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: