In February 2019, a phishing attack on Baystate Health caused the exposure of 12,000 patients’ protected health information (PHI). On April 11, on behalf of the people affected by the breach, attorney Kevin Chrisanthopoulos filed a class action lawsuit in the U.S. District Court in Springfield, MA. The lawsuit filing was after three days Baystate Health announced the data breach.
The lawsuit alleges that because of the phishing attack, plaintiffs are now facing a heightened risk of identity theft and fraud and patients whose PHI were exposed are seeking monetary damages.
When the breach was discovered, Baystate Health made its email system secured and started an investigation. According to the investigation findings, the breach affected the email accounts of nine employees because the employees responded to phishing emails. The attackers’ potentially accessed the email accounts and accessed patients’ PHI without proper authorization.
For many patients, the exposed information included names, dates of birth, diagnoses, treatment details, and prescribed medicines. The Medicare number, health insurance data, and/or Social Security number of some patients were also exposed. When Baystate Health issued notifications on April 8, 2019 to impacted patients, there’s no confirmation yet if the attackers viewed or copied PHI, though no report was received that indicate misuse of any PHI.
As a safety measure against identity theft and fraud, Baystate Health offered people whose Social Security number was compromised free credit monitoring and identity theft protection services for one year.
Baystate Health took the necessary steps to strengthen email security and avoid the occurrence of more data breaches. Employees received additional training, with a particular emphasis on enhancing resilience to phishing attacks. The provider also implemented extra controls to stop access of email accounts from outside the company. Email logging and log reviews frequency was also increased.
Generally, class action lawsuits that seek damages for PHI exposure only become successful when it could be proven, while balancing probabilities, that there was harm sustained as a direct consequence of a data breach. Illinois is the only state that does not require proof that harm has happened due to the exposure of personal data for lawsuits to have standing.
This incident is not the first time confidential information was accessed from the medical center. In 2016, a similar phishing attack on Baystate Health occurred resulting in the breach of five employee email accounts and the expsure of PHI of 13,112 patients.