Beacon Health System Data Breach (2015)

Although there is no evidence of any actual or attempted misuse of personal or protected health information belonging to Beacon Health System ("Beacon") patients, Beacon is notifying the media and affected patients that it was the subject of a sophisticated phishing attack, and that unauthorized individuals gained access to Beacon employee email boxes, which contained the personal and protected health information of some individuals, including patients. Beacon discovered that it had been the target of a sophisticated cyber attack. On March 25, 2015, during the investigation of this attack, Beacon discovered unauthorized access to email boxes of some of its employees, which potentially contained information on patients. Certain email boxes were accessed beginning as early as November 2013, and the last date of unauthorized access into any email box was January 26, 2015. Beacon continued an extensive review to determine if sensitive information was affected. On May 1, 2015, Beacon was advised that protected health information was contained in the affected emails. While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes. The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included the following types of information: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information. There is no evidence that the unauthorized users viewed or removed data from the email boxes. Beacon is mailing letters to affected individuals beginning May 22, 2015. The forensic investigation is ongoing, and Beacon will notify additional individuals if necessary. Although there is no report of any attempted or actual misuse of the information contained in the email boxes, Beacon is providing affected individuals with access to one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and an identity theft protection specialist. Additionally, Beacon is consulting with the FBI and has notified the Department of Health and Human Services and various state regulators. Beacon is reviewing its policies and procedures and is implementing additional measures to prevent an incident like this from happening again. Individuals are encouraged to regularly review any Explanation of Benefits statements received from insurers for suspicious activity. If an individual does not receive regular Explanation of Benefits statements, he or she can contact his or her insurer and request copies. Individuals may want to order copies of credit reports and check for any unrecognized medical bills. If an individual finds anything suspicious, he or she can call the credit reporting agency at the phone number on the report. Individuals should keep a copy of notices in case future problems arise. Individuals may also want to request a copy of medical records from providers, to serve as a baseline.