Berkshire Health Systems, Inc. Data Breach 2025: 1,421 Affected · Insider Snooping at Fairview Hospital · MA. Filed With HHS OCR. What To Do.
Berkshire Health Systems (MA) reported on July 30, 2025 that a Surgical Services employee at Fairview Hospital viewed patient electronic medical records without a legitimate business purpose, potentially dating back to 2014. Exposed data included full names, dates of birth, account numbers, diagnosis codes, and visit notes.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 1, 2014
Employee hired at Fairview Hospital; unauthorized access of patient records may date back to this period per BHS statements to regulators.
Jun 3, 2025
Berkshire Health Systems received a report that a Fairview Hospital employee in Surgical Services may have accessed records without a legitimate business purpose; internal investigation began.
Jul 30, 2025
BHS filed HIPAA breach notification with HHS Office for Civil Rights and notified state attorneys general (including New Hampshire and Connecticut).
Aug 12, 2025
BHS began mailing individual notification letters to affected patients.
Jan 1, 2014
Employee hired at Fairview Hospital; unauthorized access of patient records may date back to this period per BHS statements to regulators.
Jun 3, 2025
Berkshire Health Systems received a report that a Fairview Hospital employee in Surgical Services may have accessed records without a legitimate business purpose; internal investigation began.
Jul 30, 2025
BHS filed HIPAA breach notification with HHS Office for Civil Rights and notified state attorneys general (including New Hampshire and Connecticut).
Aug 12, 2025
BHS began mailing individual notification letters to affected patients.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Berkshire Health Systems, Inc., the largest healthcare provider in Berkshire County, Massachusetts, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on July 30, 2025, reporting 1,421 affected individuals in an insider-misuse incident involving its electronic medical record system. According to BHS’s notification letter, a former employee in the Surgical Services Department at Fairview Hospital in Great Barrington viewed patient records without a legitimate business purpose. Reporting by the Berkshire Argus and others has documented that unauthorized access may extend back to 2014, when the employee was first hired, although BHS told regulators it would review records only back to October 1, 2022.
Timeline
- 2014: The employee at the center of the incident was hired at Fairview Hospital. BHS has acknowledged to regulators that unauthorized record access may date to this period.
- June 3, 2025: BHS received a report flagging that the Surgical Services employee may have accessed patient records without a legitimate work-related reason. An internal investigation followed.
- July 30, 2025: BHS filed the breach with HHS OCR and notified state attorneys general, including New Hampshire and Connecticut.
- August 12, 2025: BHS began mailing individual notification letters to affected patients.
What was exposed
Per BHS’s notification letter and corroborating reporting, the accessed electronic medical records included:
- Full name
- Date of birth
- Account number
- Diagnosis codes
- Visit notes
BHS has stated the former employee’s access was view-only and that there is no evidence records were downloaded, printed, or further disclosed. Financial information, health insurance information, and Social Security numbers were not viewable in the affected views, according to BHS.
What BHS is offering
BHS’s public notification and the New Hampshire Attorney General filing describe the entity’s response as termination of the employee, optimization of privacy-monitoring software, and review of access logs. The public materials reviewed do not indicate that complimentary credit monitoring or identity-theft protection has been offered to affected patients. If you receive a notification letter that includes a monitoring enrollment code, follow the letter’s instructions directly.
Class-action and litigation status
As of this page’s last update, no class-action lawsuit against Berkshire Health Systems related to this incident has been publicly reported in the sources reviewed. The HHS OCR investigation is open. We will update this page if filings are docketed.
What to do if you may be affected
- Watch for a notification letter addressed to you from Berkshire Health Systems. The letter will identify the specific information involved and explain what, if anything, BHS is offering to enroll in.
- Request your medical-record access log. Under HIPAA’s right of access, you can ask BHS for an accounting of disclosures and, where available, an audit of who viewed your record. This is the most useful step for an insider-snooping incident, because credit freezes do not address the harm.
- Freeze your credit anyway if you have not already. It is free at all three nationwide consumer reporting agencies and is the highest-leverage protection against identity theft if any additional data later turns out to have been exposed.
- Bookmark this page. We update it as new public information becomes available.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- New Hampshire Attorney General — BHS breach notification letter (Aug 4, 2025) — the entity’s own notification letter to a state AG, with exposed-data list and incident description.
- The Berkshire Edge — Berkshire Health Systems patients notified of data breach — local press coverage of the August 12, 2025 patient notifications.
- HIPAA Journal — Insider breaches identified by three healthcare providers — trade-press confirmation of the insider incident and response.
- WAMC — Berkshire Argus investigation — reporting on the decade-long access window and BHS’s limited investigative scope.
- Berkshire Health Systems — Policies and Notices — the entity’s own public notices page.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- New Hampshire Attorney General — BHS breach notification letter (Aug 4, 2025)
- The Berkshire Edge — Berkshire Health Systems patients notified of data breach
- HIPAA Journal — Insider breaches identified by three healthcare providers
- WAMC — Berkshire Argus investigation into data leaks at BHS
- Berkshire Health Systems — Policies and Notices
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.