3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack
A phishing attack on City of Hope has resulted in cybercriminals gaining access to the email accounts of four employees.
The emails made it past spam filtering controls and were delivered to employees on May 31 and June 2, 2017. Four employees responded to the requests and disclosed their login credentials to the attackers. City of Hope says the emails appeared to have been sent from a trustworthy source.
The attackers used the login credentials to access the accounts, although City of Hope was unable to determine the scope or nature of access. On July 21, City of Hope confirmed that three of the accounts contained patients’ protected health information.
The protected health information in the emails included names, addresses, email addresses, contact telephone numbers, dates of birth, dates of service, diagnoses, test results, medication information, and other clinical data. No financial information, insurance details, or Social Security numbers were exposed or accessed.
Phishing attacks such as this are not always concerned with obtaining protected health information. Oftentimes, access to the email accounts is gained in order to use the accounts to send spam emails. City of Hope believes that was the intention of the phishers in this case.
However, since PHI access cannot be ruled out, patients affected by the incident have been advised to remain cautious and monitor their accounts for any sign of suspicious activity. The incident has been reported to law enforcement and a leading forensic information technology firm has been retained to assist with the investigation. The firm will also evaluate City of Hope systems and processes and will assist with strengthening existing security protections to prevent future incidents of this nature from occurring.
The breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The breach summary indicates 3,400 patients have been impacted by the incident.
OCR Highlights the Importance of Regular Security Awareness Training for Healthcare Employees
In its July Cybersecurity Newsletter, OCR reminded covered entities of the importance of providing security awareness training to employees to help prevent attacks such as this from resulting in PHI being compromised.
Security awareness training for the workforce is a requirement of the HIPAA Security Rule and employees should receive regular training to help them identify phishing attacks and other security threats.
OCR suggested the frequency of training should be dictated by the findings of risk analyses, although it was pointed out that many healthcare organizations are conducting biannual training and are issuing monthly security bulletins to employees on the latest threats.
OCR suggests employee security awareness training should include computer-based training, classroom sessions, monthly newsletters, security bulletins, posters, and team discussions, although which training methods are used is left to the discretion of the covered entity.
Security awareness training should be documented, with attestations obtained from employees to prove training has been received. Documentation will be required by OCR if a covered entity is selected for an audit or as part of an investigation into a data breach.