Baystate says breach from phishing attack could affect 12,000

Phishing attacks that hit several employees at Baystate Health resulted in about 12,000 individuals’ health records potentially compromised.

Massachusetts-based Baystate Health hired a computer forensics firm to investigate the incidents, which occurred in February and March. Affected patient data included names, dates of birth, diagnoses, treatments, medications and, in some cases, health insurance information, Medicare numbers and Social Security numbers. The organization’s electronic heath records system was not affected.

“This incident did not affect all Baystate patients, and we have no indication any patient information was actually acquired or viewed, or that it has been misused,” according to the organization.

Also See: Phishing attack impacts 326,000 patients of UConn Health

Patient notification letters were sent April 5, and a call-in center was established. Baystate advised patients to review statements from providers and insurers to determine if they see services they did not receive, and to contact the provider or insurer immediately if they notice any suspicious charges.

Baystate Health-CROP.jpg

Patients with compromised Social Security numbers were offered one year of credit monitoring and identity protection services from one of the credit rating agencies.

“To help prevent something like this from happening in the future, we required a password change for all affected employees, increased the level of email logging and are reviewing those logs regularly, and have blocked access to email accounts outside of our network unless the access is approved by Baystate,” the company told patients. “We are also reinforcing our current ongoing employee training focused on how to detect and avoid phishing emails.”

Additional information was not immediately available.

For reprint and licensing requests for this article, click here.