Baystate Health Informs Patients of E-mail Phishing Incident
SPRINGFIELD — Baystate Health announced it has mailed letters to patients about an e-mail phishing incident that affected approximately 12,000 patients.
On Feb. 7, Baystate Health learned of unauthorized access to an employee’s e-mail account and immediately launched an investigation. During the course of the investigation, it learned that nine employee e-mail accounts were compromised as a result of an e-mail phishing incident.
“As soon as Baystate identified the unauthorized access, each account was secured,” said Kevin Hamel, chief Information Security officer for Baystate Health. “Baystate hired an experienced computer forensic firm to assist in this investigation.”
The investigation determined that some patient information was contained in the e-mail accounts, including patient names, dates of birth, health information (such as diagnoses, treatment information, and medications), and, in some instances, health-insurance information, as well as a limited number of Medicare numbers and Social Security numbers. Neither patient medical records nor any of Baystate’s electronic-medical-record systems were compromised.
All affected patients are receiving information directly from Baystate Health via direct mail, and Baystate has established a dedicated call center for patients to call with any questions, at (833) 231-3361, from 9 a.m. to 6:30 p.m., Monday through Friday. Baystate is offering a complimentary one-year membership to credit-monitoring and identity-protection services for those patients whose Social Security numbers were exposed.
“The integrity of our information systems and e-mail security is a high priority, and we are committed to maintaining and securing patient information at all times,” said Joel Vengco, senior vice president and chief Information officer for Baystate Health.
To help prevent something like this from happening in the future, the health system required a password change for all affected employees, increased the level of e-mail logging (and is reviewing those logs regularly), and has blocked access to e-mail accounts outside of its network. It is also reinforcing its current, ongoing training and education of all employees focused on detecting and avoiding phishing e-mails.
More information may be found on Baystate’s website at baystatehealth.org/phishing.