Phishing attack at Baystate Health puts data of 13,000 patients at risk

Five employees responded to the phishing emails, which allowed hackers unauthorized accessed, officials said.
By Jessica Davis
01:02 PM

A phishing email scam could potentially expose the personal data of 13,000 patients at Springfield, Massachusetts-based Baystate Health, officials said.

Baystate learned of the phishing campaign sent to several employees on August 22, 2016. Officials said five of its employees responded to the email, which gave hackers access to email accounts of these employees. Some emails in the accounts contained patient information.

The email was disguised as a Baystate memo to employees, officials explained. The health system took immediate action to secure the accounts and start an investigation.

[Also: Phishing threats cause sleepless nights for security pros]

The emails may have included patients' names, dates of birth, diagnoses, treatments, medical record number and some included health insurance identification numbers. Financial data and Social Security numbers were not part of the accessed information.

While there's no evidence this information has been taken or misused, Baystate notified its patients of the breach in a letter sent on October 21. No patient records were access, and the health system's EMR system wasn't affected.

"Baystate is committed to protecting private information and is taking this matter very seriously," officials said in a statement. "To help prevent a similar event from happening again, we are increasing our employee training about phishing emails."

"What we need to do and what we can do every day going forward, is train and retrain, and educate and reeducate our workforce," Brendan Monahan, a spokesperson for Baystate Health told 22News. "So when one of these phishing attacks comes in, they know what it looks like, and they're not tempted to click on it."

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn