Active breach tracker MA Disclosed July 30, 2025

Berkshire Health Systems, Inc. Data Breach 2025: 1,421 Affected · Insider Snooping at Fairview Hospital · MA. Filed With HHS OCR. What To Do.

Berkshire Health Systems (MA) reported on July 30, 2025 that a Surgical Services employee at Fairview Hospital viewed patient electronic medical records without a legitimate business purpose, potentially dating back to 2014. Exposed data included full names, dates of birth, account numbers, diagnosis codes, and visit notes.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 1, 2014

Employee hired at Fairview Hospital; unauthorized access of patient records may date back to this period per BHS statements to regulators.

Jun 3, 2025

Berkshire Health Systems received a report that a Fairview Hospital employee in Surgical Services may have accessed records without a legitimate business purpose; internal investigation began.

Jul 30, 2025

BHS filed HIPAA breach notification with HHS Office for Civil Rights and notified state attorneys general (including New Hampshire and Connecticut).

Aug 12, 2025

BHS began mailing individual notification letters to affected patients.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Diagnosis codes

03

Contact & insurance

Phishing + targeted scams

Full name Account number Visit notes
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Berkshire Health Systems, Inc., the largest healthcare provider in Berkshire County, Massachusetts, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on July 30, 2025, reporting 1,421 affected individuals in an insider-misuse incident involving its electronic medical record system. According to BHS’s notification letter, a former employee in the Surgical Services Department at Fairview Hospital in Great Barrington viewed patient records without a legitimate business purpose. Reporting by the Berkshire Argus and others has documented that unauthorized access may extend back to 2014, when the employee was first hired, although BHS told regulators it would review records only back to October 1, 2022.

Timeline

  • 2014: The employee at the center of the incident was hired at Fairview Hospital. BHS has acknowledged to regulators that unauthorized record access may date to this period.
  • June 3, 2025: BHS received a report flagging that the Surgical Services employee may have accessed patient records without a legitimate work-related reason. An internal investigation followed.
  • July 30, 2025: BHS filed the breach with HHS OCR and notified state attorneys general, including New Hampshire and Connecticut.
  • August 12, 2025: BHS began mailing individual notification letters to affected patients.

What was exposed

Per BHS’s notification letter and corroborating reporting, the accessed electronic medical records included:

  • Full name
  • Date of birth
  • Account number
  • Diagnosis codes
  • Visit notes

BHS has stated the former employee’s access was view-only and that there is no evidence records were downloaded, printed, or further disclosed. Financial information, health insurance information, and Social Security numbers were not viewable in the affected views, according to BHS.

What BHS is offering

BHS’s public notification and the New Hampshire Attorney General filing describe the entity’s response as termination of the employee, optimization of privacy-monitoring software, and review of access logs. The public materials reviewed do not indicate that complimentary credit monitoring or identity-theft protection has been offered to affected patients. If you receive a notification letter that includes a monitoring enrollment code, follow the letter’s instructions directly.

Class-action and litigation status

As of this page’s last update, no class-action lawsuit against Berkshire Health Systems related to this incident has been publicly reported in the sources reviewed. The HHS OCR investigation is open. We will update this page if filings are docketed.

What to do if you may be affected

  • Watch for a notification letter addressed to you from Berkshire Health Systems. The letter will identify the specific information involved and explain what, if anything, BHS is offering to enroll in.
  • Request your medical-record access log. Under HIPAA’s right of access, you can ask BHS for an accounting of disclosures and, where available, an audit of who viewed your record. This is the most useful step for an insider-snooping incident, because credit freezes do not address the harm.
  • Freeze your credit anyway if you have not already. It is free at all three nationwide consumer reporting agencies and is the highest-leverage protection against identity theft if any additional data later turns out to have been exposed.
  • Bookmark this page. We update it as new public information becomes available.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.