11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack

The email accounts of two employees of Chicago’s Sinai Health System have been compromised in a recent phishing attack.

Sinai Health System reports that the phishing attack occurred on October 2, and that it was quickly identified and mitigated. Access to the compromised accounts was possible only for a matter of hours. Cybersecurity experts were called in to assist with the investigation, and while the possibility of PHI access cannot be ruled out, the risk faced by patients is believed to be low.

No evidence has been uncovered to suggest any financial information was accessed, although an analysis of the email accounts revealed a range of protected health information of 11,350 patients was contained in the email accounts and could potentially have been viewed.

As a precaution against identity theft and fraud, patients impacted by the breach have been offered identity theft protection and credit monitoring services free of charge for 12 months.

Mitigating the Ever-present Threat from Phishing

Phishing is the biggest cybersecurity threat faced by organizations, with the healthcare industry often targeted by cybercriminals.

A recent study from IronScales shows that between 90% and 95% of successful breaches are the result of phishing. Research conducted by anti-phishing vendor PhishMe similarly suggest more than 90% of data breaches start with a phishing email.

Even with multi-layered phishing defenses, some emails will make it past perimeter defenses and will be delivered to end users’ inboxes. It is therefore important to provide security awareness training to employees. Not only will training help to improve the phishing email identification skills of employees and will help to prevent costly data breaches, it is also a requirement of HIPAA.

In its July Cybersecurity Newsletter, OCR reminded HIPAA-covered entities of the importance of providing regular training to employees. The newsletter came after a spate of phishing incidents reported by healthcare providers. The past couple of weeks have several further data breaches caused by phishing, underscoring the need for continuous training of healthcare employees.

While HIPAA does not stipulate how often security awareness training should be provided, OCR suggests that many healthcare organizations are providing biannual training sessions, with regular newsletters issued on specific threats and to maintain awareness of the risks from phishing. Using a combination of computer-based training, classroom sessions, newsletters, posters, and phishing simulation exercises, covered entities and their business associates can improve security awareness of the workforce.  Alongside spam filters and other anti-phishing technologies, organizations can reduce the risk from phishing to a low and acceptable level.

A recent State of the Phish Report from Wombat Security Technologies suggests that while employees are getting better at identifying phishing emails as a result of security awareness training, many organizations are failing to implement effective employee security awareness training programs.

24% of respondents of a recent survey failed to identify phishing emails – An improvement from the 28% of failures last year, but still a major cause for concern. The State of the Phish report also highlighted the need for continuous security awareness training. Last year when the survey was conducted, respondents scored particularly highly on questions relating to safe Internet access, yet there was a sharp fall in risk awareness in this category a year later. If training is not regularly reinforced, basic security practices can be all too easily forgotten.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.