A February 2019 phishing attack on Baystate Health led to the compromise of the protected health information (PHI) of 12,000 patients. On April 11 Attorney Kevin Chrisanthopoulos filed on behalf of the people the breach affected a class action lawsuit at the U.S. District Court in Springfield, MA. The lawsuit was filed three days after the announcement made by Baystate Health about the data breach.
According to the lawsuit allegation, the phishing attack was the reason why the plaintiffs are currently facing an increased risk of identity theft and fraud. The patients who had their PHI exposed are looking to get monetary damages.
As soon as Baystate Health discovered the breach, its email system was secured and the provider investigated the incident. The investigation findings revealed that nine employees’ email accounts were compromised after the employees made a response to the received phishing emails. Thus, the attackers possibly had accessed the email accounts and viewed the patients’ PHI with no appropriate authorization.
Many of the patients had the following information exposed: names, birth dates, diagnoses, treatment data, and medications. Some patients also had their Medicare number, medical insurance information, and/or Social Security numbers exposed. On April 8, 2019, Baystate Health sent notifications to the affected patients, but there’s no information regarding the viewing or copying of PHI by the attackers. There is also no report on the incidents of PHI misuse.
As a safety precaution, Baystate Health provided the patients who had their Social Security number compromised no cost one year credit monitoring and identity theft protection services.
Baystate Health took on the recommended steps for strengthening email security and avoiding data breaches. Employees were provided additional training, with special emphasis on improving resilience to phishing attacks. The provider additionally employed further controls to stop email accounts access from entities beyond the company. Logging of email activities was increased and review of the logs became more frequent.
Typically, class action lawsuits with intention to seek damages for exposure of PHI only succeeds when the plaintiffs could prove the allegation, at the same time balancing probabilities, that the plaintiffs sustained harm as a direct effect of a data breach. The only state exempted from this rule of requiring proof that harm has happened due to the exposure of personal data is Illinois.
This breach incident isn’t the first experience of Baystate Health. In 2016, Baystate Health encountered a similar phishing attack leading to the compromise of the email accounts of five employees exposing the PHI of 13,112 patients.