Baystate Health in Massachusetts had a phishing attack, which led to the exposure of the protected health information (PHI) of roughly 12,000 patients.
Baystate Health discovered the phishing attack that occurred from February 7 to March 7, 2019. Every instance that the email account of several employees were compromised, the accounts were immediately secured. A computer forensics firm helped in the investigation of the breach. Analysis of the email messages and attachments contained in the email accounts were undertaken to know if the accounts contained PHI and if the attackers accessed the information.
The investigation affirmed that email accounts contained patient data such as names, birth dates, medications, diagnoses and treatment information. The email messages and attachments also included the health insurance information, Social Security numbers and Medicare numbers of a number of patients.
Baystate Health sent by mail breach notification letters to patients affected by the breach on April 5. Patients who had compromised Social Security number received free one year credit monitoring and identity theft protection services for extra security. There was no proof indicating the attackers viewed, copied or misused patient information.
All affected patients were advised to keep a close watch over the explanation of benefits statements from their insurance companies and statements from medical providers in case there are medical services billed to their account that they have not received.
Baystate Health reset all passwords of the compromised email accounts to block further access and enforced extra security measures to stop the unauthorized persons from accessing the email accounts.
Improvements in email logging and log monitoring were made to detect breaches more rapidly. Employees had additional training on security awareness to help them distinguish phishing emails.