On August 22, five employees at Baystate Health in Massachusetts responded to a phishing campaign email, giving hackers access to the email accounts of these five employees. Some emails within these employee’s mailboxes contained patient information and the personal data of 13,000 patients is at risk.

The hacked emails may have included patient names, dates of birth, diagnoses, treatments, medical record numbers, and possibly health insurance identification numbers. Financial data and social security numbers were not accessed.

The phishing email was disguised a Baystate memo. Upon learning that employees had clicked on the email, the health system took immediate action to secure the accounts and began an investigation. Baystate notified patients of the breach via a letter mailed October 21. No patient records were accessed and the system’s EMR system was not affected. Baystate is also increasing employee training regarding phishing emails to avoid future incidents.