Phishing Attack on Baystate Health Affects 12,000 Patients

Baystate Health has notified 12,000 patients a phishing attack on their facility compromised their PHI.

Baystate Health, based in Massachusetts, discovered that an unauthorised individual had compromised several employee email accounts between February 7 and March 7, 2019. Each email account was immediately secured, and unauthorised access was blocked.

Baystate Health launched an investigation into the string of attacks, contracting a third-party computer forensics firm to assist in determining the cause and scope of the attacks.

Investigators discovered the compromised accounts contained patients’ names, dates of birth, diagnoses, treatment information, medications and, in some cases, Social Security numbers, health insurance information, and Medicare numbers.

Following HIPAA’s Breach Notification Rule, Baystate Health notified affected patients by letter on April 5. Patients whose Social Security number was exposed have been offered one year of credit monitoring and identity theft protection services without charge.

The investigators did not uncover any evidence to suggest that the unauthorised individuals behind the phishing attack viewed, copied, or misused patient information. However, out of an abundance of caution, all affected patients have been urged to review statements from their providers and explanation of benefits statements from insurers to check that they have not been billed for medical services that have not been received.

Baystate Health performed a forced password reset to secure all affected accounts. The facility has since implemented controls to prevent employee email accounts from being accessed from outside the network unless specifically authorised.

These controls include email logging and log reviews, and additional security awareness training is being provided to employees to help them detect and avoid phishing emails.

The Department of Health and Human Services’ Office for Civil Rights breach portal indicates that 11,658 patients were affected by the breach.

A class action lawsuit was filed against Baystate on 11 April by a number of the affected patients. Lead plaintiff Aleyda Torresis says that because of the breach, she is now at heightened risk for identity theft and other cybercrime.

Baystate has not commented on the class action lawsuit.