Despite persistent training, Baystate Health suffers a breach
Regular cybersecurity training and the placement of a button on email to enable employees to report suspicious messages to the IT department for investigation—rather than clicking on the message—helped mitigate a recent phishing attack on five-hospital Baystate Health in Massachusetts.
Baystate has nearly 13,000 employees, and many received the malicious email—designed to look like an internal Baystate memo to employees—but only five of them clicked on it, a spokesperson says. That still put protected health information at risk for 13,112 patients.
A notice to patients said no evidence was found of patient data being taken or misused. The data at risk included patient names, dates of birth, diagnoses, treatments received, medical record numbers and some health insurance identification numbers.
Baystate considered, but is not offering, credit or identity monitoring services because the most sensitive information—Social Security numbers, credit/debit card numbers and other financial information—were not accessed, according to the spokesperson.
Baystate has conducted regular cybersecurity awareness programs across its hospitals and physician practices, and now will do even more, the spokesperson notes. Before the incident, the IT department was conducting fake phishing attacks and educating those who clicked on the bait; now, these fake attacks also will be increased for educational purposes.