Cyber Incident Victim: Baystate Health
Date:
Aug 2016
Location:
United States of America
Summary
A phishing attack compromised several employee email accounts at Baystate Health, potentially exposing patient information including names, dates of birth, diagnoses, treatments, medical record numbers, and some health insurance identification numbers. The organization confirmed no Social Security numbers, financial data, or medical records were accessed, and their electronic systems remained unaffected. Following the incident, affected accounts were secured, an investigation initiated, and law enforcement notified, while enhanced employee training was implemented to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 22, 2016, Baystate Health discovered that several employees had received a phishing email disguised as an internal organizational memo. The fraudulent communication enabled unauthorized actors to compromise five employee email accounts after recipients responded to the deceptive message. An immediate investigation confirmed the attackers accessed these accounts, which contained emails with protected health information of approximately 13,000 patients. Exposed data included patient names, dates of birth, diagnoses, treatment details, medical record numbers, and health insurance identification numbers in some instances. No Social Security numbers, credit card information, financial records, or electronic medical records systems were accessed during the breach. Baystate secured the compromised accounts upon detection and reported the incident to law enforcement authorities, though no evidence indicated actual theft or misuse of patient data.
Baystate Health initiated patient notification procedures on October 21, 2016, mailing letters to all potentially affected individuals and establishing a dedicated call center for inquiries. The organization emphasized that the phishing attack exclusively targeted employee email accounts and did not penetrate clinical databases or billing systems. In response to the incident, Baystate committed to expanding employee cybersecurity training programs focused on phishing email recognition and prevention. The investigation concluded the breach originated solely from the phishing campaign, with no additional attack vectors or prolonged system access identified. Patient communications outlined the specific data types involved while reaffirming the absence of financial or Social Security number exposure.