Baystate Health ('Baystate') is committed to protecting the security and confidentiality of our patients’ information. Regrettably, this notice is regarding an incident that involves some of that information.
Between February 7, 2019 and March 7, 2019, Baystate learned of unauthorized access to a limited number of employee email accounts during that same time frame due to a phishing incident. We immediately secured each account, began an investigation and hired a leading computer forensic firm to assist.
The investigation determined that some patient information was contained in the email accounts, including patient names and dates of birth, health information (such as, diagnoses, treatment information, and medications), and in some instances health insurance information, Medicare numbers, and Social Security numbers. Baystate’s electronic medical record was not accessed or involved.
This incident did not affect all Baystate patients, and we have no indication that any patient information was actually acquired or viewed, or that it has been misused. However, in an abundance of caution, we began mailing letters to affected patients on April 5, 2019 and established a dedicated call center to answer questions. If you believe you have been affected by this incident and do not receive a letter by May 5, 2019, please call 1-833-231-3361, from 9 am to 6:30 pm Eastern Time, Monday through Friday.
We recommend that affected patients review the statements they receive from their healthcare providers and healthcare insurer. If they see services they did not receive, please contact the insurer or provider immediately. For those patients whose Social Security numbers were included in the email accounts, we are offering a complimentary one year membership of credit monitoring and identity protection services.
To help prevent something like this from happening in the future, we required a password change for all affected employees, increased the level of email logging and are reviewing those logs regularly, and have blocked access to email accounts outside of our network the access is approved by Baystate. We are also reinforcing our current ongoing employee training focused on how to detect and avoid phishing emails.
Not a Definitive Healthcare newsletter subscriber?
Sign up to receive our latest news and blogs right in your inboxSign up for our newsletter