Regular cybersecurity training and the placement of a button on email to enable employees to report suspicious messages to the IT department for investigation—rather than clicking on the message—helped mitigate a recent phishing attack on five-hospital Baystate Health in Massachusetts.

Baystate has nearly 13,000 employees, and many received the malicious email—designed to look like an internal Baystate memo to employees—but only five of them clicked on it, a spokesperson says. That still put protected health information at risk for 13,112 patients.

A notice to patients said no evidence was found of patient data being taken or misused. The data at risk included patient names, dates of birth, diagnoses, treatments received, medical record numbers and some health insurance identification numbers.

Baystate considered, but is not offering, credit or identity monitoring services because the most sensitive information—Social Security numbers, credit/debit card numbers and other financial information—were not accessed, according to the spokesperson.

Baystate has conducted regular cybersecurity awareness programs across its hospitals and physician practices, and now will do even more, the spokesperson notes. Before the incident, the IT department was conducting fake phishing attacks and educating those who clicked on the bait; now, these fake attacks also will be increased for educational purposes.

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access