SPRINGFIELD, MA – Baystate Health announced Friday that it is notifying some of its patients related to a privacy incident.
On August 22, 2016, Baystate learned that a “phishing” email had been sent to several Baystate employees, potentially allowing the perpetrators to gain access to some employees’ email accounts. The perpetrators intentionally designed the phishing email to appear to be a legitimate internal Baystate memo to employees. Baystate immediately took steps to secure the email accounts and began an investigation. Baystate also worked with an expert computer forensic firm to assist with the investigation and we have reported the incident to law enforcement.
The investigation determined that 5 Baystate employees had responded to the phishing email, allowing the hackers to gain access to their email accounts. Through comprehensive review of the affected email accounts, we determined that some of the emails that may have been accessed included patient information. While we are not certain that these emails were viewed, and we have no evidence that any patient information has been taken or misused, we wanted to assure our patients that we take this incident very seriously. The information contained in the emails may have included patients’ demographic information such as name and date of birth, and may have also included clinical information such as diagnosis, treatment received, medical record number and, in some instances, health insurance identification number. The emails did not contain Social Security numbers, or other financial or account information. Importantly, neither patient medical records nor any of Baystate’s electronic medical record systems were compromised. Only the discrete information contained in the email accounts was potentially affected.
Baystate is committed to the security of the sensitive information it maintains and is taking this matter very seriously. To help prevent a similar incident from reoccurring, we are enhancing our workforce training regarding phishing emails.
While we are not certain that these emails were viewed, and we have no evidence that any of the
information has been taken or misused, we began mailing letters to affected individuals on October 21, 2016, and we have established a dedicated call center to answer any questions individuals may have.
For additional information about this incident, please visit the Baystate website at www.baystatehealth.org.
