Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach.

The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach.

The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed.

Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI.

For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and medications. Certain patients also had their Medicare number, health insurance information, and/or Social Security number exposed. At the time of issuing notifications – April 8, 2019 – to affected patients, Baystate Health had not been able to confirm whether PHI had been viewed or copied, but no reports had been received to suggest any PHI had been misused.

As a precaution against identity theft and fraud, individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months at no cost.

Baystate Health has taken reasonable steps to improve email security and prevent further data breaches from occurring. Those steps include providing further training for employees, with a specific focus on improving resilience to phishing attacks. Controls have also been implemented to prevent email account access from outside the organization and the frequency of email logging and log reviews has been increased.

Typically, class action lawsuits seeking damages for the exposure of PHI are only successful when it can be established, on the balance of probabilities, that harm has been suffered as a direct result of a data breach. Only in Illinois is it not necessary to establish harm has occurred as a result of the exposure of personal information for lawsuits to have standing.

“This isn’t the first time the medical center allowed confidential information to be accessed,” explained Chrisanthopoulos. “This is unconscionable, and we need to send a message that this cannot happen again.”

Baystate Health had experienced a similar phishing attack in 2016. In that incident, five employee email accounts were breached and the PHI of 13,112 patients was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.