eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed

In the past few days, two email spoofing attacks have been reported by healthcare organizations that have resulted in the W-2 information of employees being sent to cybercriminals.

Tax season phishing scams are to be expected at this time of year. Cybercriminals target HR and payroll employees and try to fool them into sending the W-2 information of employees via email. The scams are convincing. A casual glance at the address of the sender of the email will reveal nothing untoward. The emails appear to have been sent from other employees who have a legitimate need for the information.

The latest healthcare organization to report being duped by one of these scams is eHealthinsurance. An eHealth employee responded to a phishing email on January 20, 2017 after believing it had been sent from another eHealth employee.

While many of these scams involve emails being sent from compromised company email accounts, in this case the request came from a spoofed email account. The employee sent a file by return that contained employees’ W-2 tax forms. Data passed on to the scammer included employees’ names, addresses, Social Security numbers and wage information.

While employee data were obtained in the attack, an investigation of the incident uncovered no evidence to suggest that eHealth’s systems had been breached or were otherwise compromised.

eHealth has now notified all affected employees of the disclosure of their W-2 forms and has offered each employee 24 months of credit and identity monitoring services without charge to mitigate risk. The IRS has also been notified of the attack. To prevent any recurrences of incidents of this nature, employees are being provided with additional training on safeguarding the privacy and security of data.

Last week, Campbell County Health also reported that one of its employees had fallen for such as scam.

Many businesses and educational establishments have already discovered employees have accidentally disclosed employee W-2 form data to criminals involved in tax fraud and with two months of tax season still to go, they will certainly not be the last.

Healthcare organizations should be particularly vigilant during tax season. Any email request to send W-2 information should be treated as suspicious. To prevent accidental disclosure, any HR or payroll employee that receives a request to send W-2 forms or other tax-related information via email should attempt to verity the legitimacy of the request prior to sending any employee tax information. Since the scammer may have access to corporate email accounts, the request should not be authenticated via email.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.