[BreachExchange] Class-action lawsuit filed against Baystate Health over data breach

[Destry Winant]

https://www.masslive.com/business/2019/04/class-action-lawsuit-filed-against-baystate-health-over-data-breach.html

A class action suit has been filed against Baystate Health after the
data of 12,000 patients was left vulnerable following a February
phishing attack.

Westfied attorney Kevin Chrisanthopoulos filed the suit April 11 in
U.S. District Court here in Springfield. He announced the suit
Thursday.

A class action suit means Chrisanthopoulos is looking for more
plaintiffs to add to the suit seeking monetary damages all the
eventual plaintiffs would share.

The information compromised in the hack includes patient names, dates
of birth, health information (such as, diagnoses, treatment
information, and medications), and in some instances, health insurance
information, and a limited number of Medicare numbers and Social
Security numbers.

On February 7, 2019, Baystate Health learned of unauthorized access to
an employee’s email account and immediately launched an investigation.
During the course of the investigation the health care giant learned
that nine employee email accounts were compromised as a result of an
email phishing incident.

Lead plaintiff Aleyda Torresis of Springfield, says she is now at
heightened risk for identity theft and other cybercrime, according to
court papers.

A Baystate spokeswoman declined to comment on the lawsuit.

Baystate Health announced the breach April 8, just three days before
the suit was filed but after victims like Torres had been notified.

Baysate, in its announcement, outlined the steps it is taking to
prevent breaches in the future. Baysate required a password change for
all affected employees, increased the level of email logging and are
reviewing those logs regularly, and have blocked access to email
accounts outside of our network. It is also reinforcing ongoing
training and education of all employees focused on detecting and
avoiding phishing emails.

Baystate it is offering a complimentary one-year membership of credit
monitoring and identity protection services for those patients whose
Social Security numbers were included.