DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Phishing attack hits another healthcare system

Posted on April 30, 2015 by Dissent

Partners Healthcare System has become the latest healthcare system to disclose that patient data was compromised by employees falling for phishing attacks:

Partners HealthCare System, Inc. and its affiliated institutions and hospitals, including Brigham and Women’s Hospital, Brigham and Women’s Faulkner Hospital, Massachusetts General Hospital,North Shore Medical Center, Partners Continuing Care, and Newton-Wellesley Hospital (“Partners HealthCare”), are committed to protecting the security and confidentiality of our patients’ information.  Regrettably, this notice concerns an incident involving some of that information.

On November 25, 2014, we learned that a group of Partners HealthCare workforce members had received “phishing” emails and had provided information in response to these emails believing that they were legitimate.  Responding to the “phishing” emails created an opportunity for unauthorized access to the workforce members’ email accounts within the Partners HealthCare network.  When we learned of this, we took steps to secure the email accounts and contacted law enforcement.  We also began an investigation into the phishing attack on our organization, including working with an expert computer forensic firm.

Partners conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers, and, in some instances, Social Security numbers, and some of our patients’ clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.

Importantly, our electronic medical records system was not compromised.  Only certain discrete information contained in the compromised email accounts was potentially affected.

To date, we have no evidence that any patient information in the emails has been misused.  However, as a precaution, we began mailing letters to affected patients on April 30, 2015, and have established a dedicated call center to answer any questions patients may have.  If you believe you have been affected but do not receive a letter by May 21, 2015, please call 1-877-237-9502, Monday through Friday, between 9:00 a.m. and 7:00 p.m. Eastern Time (Closed on U.S. observed holidays).  Please be prepared to provide the following ten digit reference number when calling:  3844042415.

We also recommend that affected patients regularly review the explanation of benefits (“EOB”) statements they receive from their health insurer.  If you identify services on your EOB that were not received, please immediately contact your insurer.

We deeply regret any inconvenience this may have caused you.  To help prevent something like this from happening in the future, we have re-enforced workforce member education regarding “phishing” emails and are enhancing our existing technical safeguards to protect patient information.

Lindsay Kalter of the Boston Herald reports that 3,300 patients may have been impacted.

Partners Healthcare is the second system to disclose such problems this month. DataBreaches.net recently reported that at least five member hospitals of Ascension Healthcare were also hit by successful phishing attacks that were discovered during the first week of December. Ascension, who has yet to issue any statement or disclosure and seems to be letting the affected hospitals individually disclose,  was unwilling to disclose how many other hospitals or affiliates in their system may also have been hit. So far, over 83,000 patients have reportedly been impacted by the five hospitals we know about.


Related:

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
Category: Health DataMalwareOf NoteU.S.

Post navigation

← Technical College of the Lowcountry notifies students whose SSN were exposed online by third party
Confidential information exposed over 300 times in ICANN security snafu →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Bitcoin holds steady as hackers drain over $40 million from CoinCDX, India’s top exchange
  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.