Partners Healthcare System has become the latest healthcare system to disclose that patient data was compromised by employees falling for phishing attacks:
Partners HealthCare System, Inc. and its affiliated institutions and hospitals, including Brigham and Women’s Hospital, Brigham and Women’s Faulkner Hospital, Massachusetts General Hospital,North Shore Medical Center, Partners Continuing Care, and Newton-Wellesley Hospital (“Partners HealthCare”), are committed to protecting the security and confidentiality of our patients’ information. Regrettably, this notice concerns an incident involving some of that information.
On November 25, 2014, we learned that a group of Partners HealthCare workforce members had received “phishing” emails and had provided information in response to these emails believing that they were legitimate. Responding to the “phishing” emails created an opportunity for unauthorized access to the workforce members’ email accounts within the Partners HealthCare network. When we learned of this, we took steps to secure the email accounts and contacted law enforcement. We also began an investigation into the phishing attack on our organization, including working with an expert computer forensic firm.
Partners conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers, and, in some instances, Social Security numbers, and some of our patients’ clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.
Importantly, our electronic medical records system was not compromised. Only certain discrete information contained in the compromised email accounts was potentially affected.
To date, we have no evidence that any patient information in the emails has been misused. However, as a precaution, we began mailing letters to affected patients on April 30, 2015, and have established a dedicated call center to answer any questions patients may have. If you believe you have been affected but do not receive a letter by May 21, 2015, please call 1-877-237-9502, Monday through Friday, between 9:00 a.m. and 7:00 p.m. Eastern Time (Closed on U.S. observed holidays). Please be prepared to provide the following ten digit reference number when calling: 3844042415.
We also recommend that affected patients regularly review the explanation of benefits (“EOB”) statements they receive from their health insurer. If you identify services on your EOB that were not received, please immediately contact your insurer.
We deeply regret any inconvenience this may have caused you. To help prevent something like this from happening in the future, we have re-enforced workforce member education regarding “phishing” emails and are enhancing our existing technical safeguards to protect patient information.
Lindsay Kalter of the Boston Herald reports that 3,300 patients may have been impacted.
Partners Healthcare is the second system to disclose such problems this month. DataBreaches.net recently reported that at least five member hospitals of Ascension Healthcare were also hit by successful phishing attacks that were discovered during the first week of December. Ascension, who has yet to issue any statement or disclosure and seems to be letting the affected hospitals individually disclose, was unwilling to disclose how many other hospitals or affiliates in their system may also have been hit. So far, over 83,000 patients have reportedly been impacted by the five hospitals we know about.