A phishing attack on Baystate Health in Massachusetts has exposed the protected health information (PHI) of almost 12,000 patients.
The email accounts of a number of employees were compromised from February 7 to March 7, 2019. Baystate Health identified the phishing attacks during the same time period and, in each case, the compromised email accounts were promptly secured. A third-party computer forensics company investigated the breach and analyzed the emails and email attachments in the compromised email accounts to determine whether they contained PHI and whether they had been accessed by the attackers.
The investigation confirmed that the following patient information was contained in the email accounts: Names, birth dates, diagnoses, treatment data and medications. The Social Security numbers, Medicare numbers and health insurance data of some patients were also included in emails and email attachments.
Baystate Health mailed breach notification letters to all patients whose PHI was potentially compromised on April 5. Patients who had their Social Security number compromised were offered free credit monitoring and identity theft protection services for 12 months as a safety precaution. No proof was found to indicate that the attackers viewed, misused or copied patient data.
All affected patients have been instructed to check the explanation of benefits statements from their insurance providers and statements from healthcare providers for medical services that have been billed but not received.
Baystate Health performed a password reset on all compromised accounts to prevent further access and has implemented further security measures to prevent the unauthorized accessing of its email accounts.
Email logging and log monitoring have been enhanced to make sure that any further breaches are detected rapidly. Employees have also been provided with additional security awareness training to help them identify phishing emails.