HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Suffered by Brigham and Women’s Hospital

Boston’s Brigham and Women’s Hospital has alerted patients to a security breach after a phishing attack compromised the email account of a hospital employee. 1,009 patients have been affected by the cyberattack.

Phishing Attack Suffered by Brigham and Women’s and Brigham and Women’s Faulkner Hospitals


Late last year, a Brigham and Women’s Hospital employee fell victim to a phishing attack that resulted in the login credentials of an email account being divulged to the attacker. The email account contained a limited amount of PHI of a small percentage of patients of both the Brigham and Women’s and Brigham and Women’s Faulkner Hospitals in Boston.

According to a breach notice posted on the Brigham and Women’s Hospital website, only one email account was compromised and the electronic health record system was unaffected. Financial account information, Social Security numbers and health insurance numbers were not compromised in the attack, although affected patients have potentially had the following information disclosed: Name, medical record number, date of birth, date of service, provider name, health diagnoses and treatment information.

While access to the email account was provided to the attacker, the hospital has not received any reports that patient data have been used inappropriately. Breach notification letters were mailed to all affected patients on January 11, 2016., to alert them to the privacy breach.

The unauthorized accessing of the email account was discovered on November 13, 2015., although the breach notice does not indicate when the attack actually took place.

Phishing Attack Highlights Need to Conduct Regular Anti-Phishing Training


The data breach highlights the risk of phishing attacks being suffered by healthcare providers and demonstrates how important it is for healthcare providers to conduct regular training sessions on phishing avoidance to manage that risk. Regular anti-phishing training exercises have been shown to be highly effective at preventing phishing attacks from being suffered. The more times phishing exercises are provided; the better staff members get at identifying potential phishing emails.

The phishing attack has prompted Brigham and Women’s Hospital to enhance the technical safeguards used to secure network credentials and further training on network and email security is being provided to members of its workforce in an effort to prevent further cyberattacks from being suffered.

Previous security incidents affecting Patients of Brigham and Women’s and Faulkner Hospitals

Patients of Brigham and Women’s Hospital and Brigham and Women’s Faulkner Hospital were affected by the Partners Healthcare System phishing attack reported to OCR in May last year. 2,252 patients were also impacted by three separate privacy breaches suffered in 2011, 2012, and 2014, each of which involved the theft of unencrypted devices used to store ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.