Around 12,000 Baystate Health Patients notified about PHI Exposure caused by Phishing Attack

Baystate Health based in Springfield, Massachusetts, is impacted by a phishing attack, which has resulted in exposure of Protected Health Information (PHI) of around 12,000 patients.

A number of employee email accounts got compromised between Feb. 7 and Mar. 7, 2019, when an employee became victim of a phishing attack, thus giving a hacker access of their accounts. All compromised email accounts have been secured immediately upon discovery, however not before some of the patient data were exposed. A third-party forensics firm has been engaged to assist in the investigation.

An analysis of compromised email accounts discovered that they contained names of patients, dates of birth, medications, diagnoses, treatment information, and, in a few cases, health insurance information, Social Security numbers, and Medicare numbers.

All the patients whose PHI was possibly accessed due to a phishing attack have been notified on April 5, 2019, by mail. Moreover, the patients having their Social Security number exposed were offered 365 days of free identity theft protection and credit monitoring services. These services were offered only as a precautionary measure.

Baystate officials said that their database of medical record was not accessed during phishing attack. In a release, the hospital officials said that "this incident did not affect all Baystate patients, and we have no indication that any patient information was actually acquired or viewed, or that it has been misused".

However, all the patients affected by this breach were requested to review explanation of the benefits statements from their insurers along with statements from providers in order to check that they were not billed for the medical services that they have not received.

Baystate Health employees of all affected accounts were required to do password reset. Additionally, Baystate Health has implemented controls in order to stop employee email accounts getting accessed from outside of their network unless authorized specifically.

Email logging along with log reviews were also increased in order to make sure that email account breaches got identified rapidly in future; and more security awareness training have been provided to the employees, so as to help them in detecting and avoiding the phishing emails.

The breach portal of Department of Health and Human Services' Office for Civil Rights indicates that 11,658 patients have been affected by this breach.

» SPAMfighter News - 5/2/2019