Won’t Get Fooled Again? – Baystate Phishing Attack Serves as Wake-up Call

The trouble with a phishing scam, says Brendan Monahan, is that only one person in an organization has to fall for it to put information at risk.
Or, in Baystate Health’s case, five.
“There is constantly a threat to businesses — including ours; we’re no different — from outside phishing attacks,” said Monahan, manager of Public Affairs for the system, in the wake of a phishing attack in August that exposed the personal data of thousands of patients. “They’re often internationally based and geared toward handing over the keys to the kingdom to a hacker who, from what we understand from most experts, is looking for some financial gain out of it.”
That doesn’t seem to have occurred in this case, Baystate officials say, but the incident, which was made public late last month, is serious enough to trigger a re-examination of the system’s security protocols — and to serve as a warning to other employers in the region, both large and small.
Specifially, on Aug. 22, Baystate learned that a phishing e-mail had been sent to numerous Baystate employees that, if opened, allowed hackers to access those employees’ e-mail accounts.
Phishing is an electronic attempt to obtain sensitive information, such as passwords and credit-card information, by masquerading as a trustworthy source. Phishing e-mails may contain links to a site infected with malware, or directly load a program onto a computer that makes it contents accessible to the scammer. The Baystate scam e-mail was designed to look exactly like an internal memo to employees.
Baystate’s investigation determined that five employees responded to the phishing e-mail, allowing the hackers to gain access to their e-mail accounts. Some of the e-mails included patient information, including names and dates of birth, diagnoses and treatments received, medical record numbers, and, in some instances, health-insurance identification numbers. However, the e-mails did not contain Social Security numbers, credit-card numbers, or other financial information commonly used by scammers and identity thieves to enrich themselves.
“The [phishing] e-mail contained information that would be described as mimicking or mocking an internal Baystate Health HR memo. Five employees clicked on that e-mail, that immediately compromised their Outlook e-mail accounts into the hands of the perpetrator,” Monahan told HCN. “Our computer research firm found exactly what was in the e-mails and what could have been looked at.”
The fact that no financial data was compromised may be small comfort for affected patients, that fact may mean the scammers have no real use for the information, and left it alone when they discovered they couldn’t profit. But that remains to be seen.
“In this case, there was no financial gain to be had from the patient information,” Monahan said. “That’s why we don’t know whether they went through the documents, but they could have.”
Still, he added, “while we have no evidence that any patient information has been taken or misused, we want to assure our patients that we take this incident very seriously.”

Next Steps
Upon discovering the breach, Baystate immediately took steps to secure the e-mail accounts and began an investigation, and also reported the incident to law enforcement.
But finding out what happened and trying to identify the perpetrators is only one step in the process of responding to the incident, Monahan said. Topping that list is ensuring — or at least trying to ensure — that such an incident won’t be repeated, and that begins with employee education and training regarding phishing e-mails and other scams.
“That was already going on beforehand, and I would say it’s being ramped up,” he explained, noting that employees can click a button at the top of any e-mail if they suspect it comes from a suspicious source, and someone from Baystate’s IT staff will come and determine if it’s dangerous or not. “We try and help them, to train them not to click on a suspicious e-mail, what a phishing attack looks like, and how to recognize it when it comes about.”
Phishing scams are, unfortunately, more common in the healthcare realm than some might suspect. In recent years alone, according to data-risk consulting firm IDT911, a server operating under contract for DeKalb Health Medical Group in Indiana experienced a cyberattack that compromised more than 1,300 patient-information records; Baylor Regional Medical Center in Texas was hacked after doctors responded to phishing e-mails, exposing the patient information contained in their inboxes, including names, addresses, dates of birth, and even Social Security numbers; and Franciscan Health System in Washington was hacked in a phishing scheme that affected potentially 12,000 patients.
Norton, the developer of Internet security software, recommends several steps to avoid becoming the victim of phishing at work, including being wary of e-mails asking for confidential information; watching out for generic-looking requests for information, as fraudulent phishing e-mails are usually not personalized; and avoiding using links in an e-mail to connect to a website, instead opening a new browser window and typing the URL directly into the address bar.
“This is constantly a threat that we have to be wary of as employees, in part because we have a confidentiality policy and handle health information and other protected information,” Monahan told HCN. “We have to be good stewards of that. There needs to be a sense of vigilance, and we have to enforce it. With almost 13,000 people who work here, there’s no one piece of software that will block this particular type of attack. It comes down to workforce training.”
Baystate mailed letters to people who may have been affected on Oct. 21, who were directed to call a phone number staffed by an outside contractor hired by Baystate to walk patients through the process of learning if they had been victimized, Monahan said. In the meantime, the health system vowed to raise their level of awareness of threats that continue to evolve in sophistication.
“There are a million cyberthreats out there in the world, and this is one of them,” he said. “We are constantly working to train our workforce to recognize these threats and stay ahead of them — because the threat is always changing.”