Baystate Health has warned 13,000 of its patients that a phishing attack might have resulted in a breach of their personal data.
The Springfield, Massachusetts-based healthcare organization said the attack occurred on 22 August 2016 when employees received an email from what appeared to be another Baystate staff member.
Five employees in total fell for the scam, which granted the attackers access to their email accounts and potentially the personal information of thousands of employees.
The health system told Healthcare IT News that it sprang into action after it learned of the security incident:
"Baystate immediately took steps to secure the email accounts and began an investigation. Baystate also worked with an expert computer forensic firm to assist with the investigation and we have reported the incident to law enforcement."
As a result of that investigation, officials at the health care organization learned those five compromised email accounts might have enabled attackers to view the personal details of patients, such as their names, dates of birth, diagnoses and treatment records, and some health insurance identification numbers. The emails did not contain patients' financial information or Social Security Numbers.
Investigators have not found evidence suggesting someone misused Baystate patients' personal information as of this writing.
Going forward, the health system is hoping to improve its workforce's awareness of phishing attacks:
"Baystate is committed to protecting private information and is taking this matter very seriously. To help prevent a similar event from happening again, we are increasing our employee training about phishing emails."
Brendan Monahan, a spokesperson for Baystate Health, echoed those thoughts:
"What we need to do and what we can do every day going forward, is train and retrain, and educate and reeducate our workforce. So when one of these phishing attacks comes in, they know what it looks like, and they're not tempted to click on it."
One of the easiest and most cost-efficient means by which organizations can train their employees about phishing attacks is to deploy a third-party's simulated phishing e-learning software at the workplace.
Does this sound of interest to your organization?