Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed

Share this article on:

The Tacoma, WA-based MultiCare Health System has announced that the email account of one of its employees has been compromised by a hacker following a successful phishing attack.

The five-hospital health system issued a statement yesterday about the email security breach confirming patients’ protected health information had been compromised. It is unclear when access to the email account was first gained, although the email security breach was discovered by MultiCare Health on November 27, 2016.

An investigation into the breach was immediately launched and rapid action was taken to secure the health system’s email accounts, including resetting passwords on all email accounts. However, the investigation revealed that only one email account had been compromised.

An analysis of the email account revealed that emails contained the ePHI of 1,200 former and current patients. Data potentially accessed by the attacker included patients’ names, addresses, dates of birth, genders, dates of service, account balances, and diagnosis and treatment information. MultiCare has confirmed that the compromised email account contained no Social Security numbers or financial information.

Patients are in the process of being notified of the security breach by mail and have been advised to check their Explanation of Benefits statements and to report any irregularities. To date, MultiCare has not received any reports of misuse of patients’ information.

Phishing attacks on healthcare organizations are to be expected. It is therefore essential for healthcare organizations to make employees aware of the risk of phishing and how to identify potential phishing attacks. Phishing simulation exercises are highly effective at reinforcing training and can greatly improve detection of phishing emails. Healthcare organizations should also set up a system of reporting potential phishing emails. Fast detection can help to prevent other employees from falling for the scams.

To counter the threat and prevent similar incidents from occurring in the future, MultiCare Health is reinforcing the education and training of its employees and will be providing staff members with additional training on phishing email detection. A review of security practices and procedures and ePHI safeguards has also been scheduled.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On