Compromised email account exposed patient info from Brigham and Women’s and Brigham and Women’s Faulkner Hospitals
Brigham and Women’s and Brigham and Women’s Faulkner Hospitals, who reported a phishing incident in April 2015, are reporting another incident involving the compromise of an employee’s email account. How the login credentials were compromised is not reported.
In a statement posted to their website, they provide other details:
On November 13, 2015, Brigham learned that an unauthorized party obtained the network credentials of one of our employees and used those credentials to access that employee’s email account. Upon learning this, Brigham took steps to secure the account and immediately began an investigation. Brigham also worked with an expert computer forensic firm to assist with its investigation. Through comprehensive review of the affected email account, we determined that the emails potentially contained information for a limited number of individuals including full name, date of birth, medical record number, provider name, date of service, and some clinical information, such as diagnosis and treatment received. The emails did not contain health insurance numbers or other financial or account information.
This incident did not affect all of Brigham’s patients and did not affect the patient electronic medical records system. Only discrete information contained in the single compromised email account was potentially affected.
We are committed to the security of the sensitive information we maintain and are taking this matter very seriously. To help prevent a similar incident from reoccurring, we are taking steps to enhance our existing technical safeguards regarding network credentials, and we are re-educating workforce members.
Although to date, we have no evidence that any patient information contained in the emails has been misused, as a precaution we began mailing letters to affected individuals on January 11, 2016, and we have established a dedicated call center to answer any questions they may have. If you believe you are affected, but do not receive a letter by January 26, 2015, please call 1-877- (877) 237-5190, Monday through Friday, between 9:00 a.m. and 7:00 p.m. Eastern Time (closed on U.S. observed holidays). Please be prepared to provide the following ten digit reference number when calling: 9887010616.
The incident was reported to HHS on January 11, 2016 as affecting 1,009 patients.