Cyber Incident Victim: Brigham and Women's Hospital

On November 13, 2015, Brigham and Women’s Hospital and Brigham and Women’s Faulkner Hospitals discovered an unauthorized party had obtained the network credentials of one employee and used them to access that individual’s email account. The hospital secured the compromised account immediately upon detection and initiated an internal investigation, supplemented by support from an expert computer forensic firm. A comprehensive review of the email account determined that emails contained sensitive patient information for a limited number of individuals, including full names, dates of birth, medical record numbers, provider names, dates of service, and clinical details such as diagnoses and treatments. The investigation confirmed the breach did not involve health insurance numbers, financial data, or account information. The hospital emphasized the incident did not impact all patients or the electronic medical records system, limiting exposure to discrete information within the single email account. No evidence of misuse of the exposed patient data was identified during the investigation.

Brigham and Women’s began mailing notification letters to affected individuals on January 11, 2016, advising those who did not receive a letter by January 26 to contact a dedicated call center operational on weekdays. The hospital reported the incident to the U.S. Department of Health and Human Services on January 11, 2016, disclosing 1,009 affected patients. In response to the breach, the institution reinforced technical safeguards related to network credentials and conducted re-education initiatives for workforce members to prevent recurrence. The hospital reiterated its commitment to information security but did not disclose specific technical or procedural changes implemented beyond these general measures. The forensic review and containment efforts focused exclusively on the compromised email account, with no broader system compromise identified.