Phishing Scam Fools Baystate Health Employees and Exposes PHI

Phishing is a technique commonly used by cybercriminals as an easy way of gaining access to healthcare data. The aim of the scam is to convince individuals into revealing login credentials or infecting their computers with malware. Even when robust cybersecurity defenses are employed to prevent networks and databases from attack, those protections can easily be undone by employees. If employees can be convinced to click malicious links, open infected email attachments, or disclose their login credentials, the attackers can gain a foothold in the network.

Phishing scams can be speculative, although increasingly cybercriminals are using highly targeted campaigns. Well-crafted and highly convincing emails are sent that appear to be genuine requests from colleagues to divulge information. Email attachments often appear to be missed invoices or product orders. However, the criminals behind the phishing campaign used to trick employees of Massachusetts-based Baystate Health in August used a new tactic.

The scammers sent an email that appeared to have come from the Human Resources department. The email appeared to be a genuine communication and the hook used by the scammers was sure to fool at least one employee. The email contained details about salary changes and other important HR information. It is not clear whether the emails contained a malicious attachment or if a link was included that directed users to a malicious website; however, five employees fell for the scam.

As a result of the employees’ actions, the attackers managed to gain access to five email accounts and a database containing sensitive patient information. Some of the compromised email accounts contained a limited amount of sensitive data including patient names, ID numbers, dates of birth, diagnoses, and medical treatments. No financial information, insurance details, or Social Security numbers were exposed. The breach only affected a single database and the email accounts. Electronic medical records were not accessed.

The email system has now been secured and an investigation did not uncover any evidence to suggest patient data had been exfiltrated by the attackers, although it is possible that data were viewed. Consequently, all affected patients have been sent a breach notification letter in accordance with HIPAA Rules to alert them to the potential privacy breach.

To prevent future incidents, Baystate Health has conducted additional staff training to raise awareness of phishing attacks and how to identify scam emails.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of