Patients impacted by phishing email scheme
Baylor Regional Medical Center has notified 1,981 patients that their information was compromised when some of the medical center's affiliated physicians responded to phishing emails.
The Plano, Texas-based organization learned on Feb. 24 that phishing emails were sent to a small group of affiliated physicians who responded to the emails thinking that they were legitimate internal requests on or after Jan. 23, according to a notice. By responding to the email, the affiliated physicians may have inadvertently created an opportunity for unauthorized access to their email accounts.
"When we learned of this, we immediately secured the affected email accounts and began an investigation, including hiring an outside forensics expert firm," according to Baylor's notification. "We undertook a comprehensive review of the affected affiliated physicians’ email accounts and confirmed that some of their emails contained patient information and may have included patient demographic information (for example, name, address, date of birth, or telephone number) and limited clinical information (for example, treating physician and/or department, diagnosis, treatment received, medical record number, medications, medical service code or health insurance information), and in a small number of instances, Social Security numbers."
Baylor has no evidence that the information in the emails has been used in any way, but began notifying patients on April 25 as a precaution. They also established a dedicated call center to assist patients with any questions.
The organization said it has re-enforced education with staff regarding phishing emails and is reviewing enhancements to the technical safeguards currently in place to further protect employee email accounts from unauthorized access.