Two weeks after the Springfield, Mass.-based Baystate Health notified 12,000 patients of a phishing attack that potentially exposed their private information, a class-action lawsuit has been filed against the health system, according to a MassLive report.
Baystate, an integrated healthcare system, said that between February and March of this year, it learned of unauthorized access to some employee email accounts due to a phishing incident. An investigation determined that some patient information was contained in the email accounts, including patient names and dates of birth, health information (such as, diagnoses, treatment information, and medications), and in some instances health insurance information, Medicare numbers, and Social Security numbers.
Baystate’s electronic medical record (EMR) was not accessed or involved, however, according to the organization’s officials.
On April 11, a lawsuit was filed in the U.S. District Court in Springfield, Mass. According to the report in MassLive, “A class action suit means [attorney Kevin] Chrisanthopoulos is looking for more plaintiffs to add to the suit seeking monetary damages all the eventual plaintiffs would share.”
Baystate, in its April 8 public acknowledgment of the breach, said “This incident did not affect all Baystate patients, and we have no indication that any patient information was actually acquired or viewed, or that it has been misused. However, in an abundance of caution, we began mailing letters to affected patients on April 5, 2019 and established a dedicated call center to answer questions.”
Officials from Baystate also advised affected patients to review the statements they received from their providers and insurer, and if they saw services they did not receive, to contact the insurer or provider immediately.
For those patients whose Social Security numbers were included in the email accounts, Baystate is offering a free one-year membership of credit monitoring and identity protection services.