Workers at one of the state's health care giants responded to "phishing" emails last year, compromising their email accounts and potentially giving unauthorized users access to patient Social Security numbers and clinical information.
Partners HealthCare System on Thursday announced it is notifying about 3,300 patients about a "privacy incident" stemming from information it learned about on Nov. 25, 2014 concerning workers who responded to phishing emails, which are used to obtain confidential information.
Partners said its own electronic medical records system was not compromised, and it has no evidence that any patient information in the affected email accounts has been misused. The company is asking affected patients to review insurance benefit statements and to contact their insurers if they see services listed on statements that they didn't receive.
The announcement was made by Partners and its affiliates, including Brigham and Women's Hospital, Massachusetts General Hospital, North Shore Medical Center, Partners Continuing Care, and Newton-Wellesley Hospital. Partners said that upon learning of the attack, it secured the email accounts and contacted law enforcement officials while beginning an investigation working with computer forensic experts.
Some of the vulnerable email accounts contained patient names, addresses, dates of birth, telephone numbers, Social Security numbers, and clinical information, such as diagnoses, treatment, medical record numbers, diagnosis codes, and health insurance information.
"To help prevent something like this from happening in the future, Partners HealthCare has re-enforced workforce member education regarding 'phishing' emails and is enhancing its existing technical safeguards to protect patient information," the company said.