HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Compromises Continue Relentless Rise

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018.

In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase.

In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share.

Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000 patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Email Accounts Used for Further Attacks on an Organization

If hackers gain access to an email account, not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.

These internal emails are carefully crafted based on information gathered from the compromised mailbox. Rather than just sending a standard phishing email from the compromised account to other employees, targets are identified through reconnaissance, the account holder’s message style is copied, and messages are crafted based on past conversations between the account holder and the targets. This allows the attacker to conduct highly convincing spear phishing campaigns that are much more likely to be successful.

Once access to a single account is gained, it is difficult to prevent further email accounts from being compromised, although it is relatively easy to prevent the initial attack. Spam filtering solutions are a must, as they will block the vast majority of malicious messages and prevent them from reaching inboxes. Security awareness training is also essential for preparing employees for attacks and training them how to recognize phishing emails and other email threats. If two-factor authentication is used, an additional form of authentication is required in order for the account to be accessed remotely.

Beazley notes that organizations that use Office 365 are more susceptible to email account compromises. Microsoft’s PowerShell is often exploited and used to login to email accounts for reconnaissance, and if an email account is compromised with the right administrative privileges, the attacker could potentially be able to search every single inbox in an organization.

Beazley also recommends preventing third-party applications from accessing Office 365, as this can reduce the potential for PowerShell to be used for reconnaissance.

The High Cost of Email Account Compromises

BBR Services often discovers that organizations are only aware of half the inboxes that are compromised in an attack, and that it is not uncommon for hundreds of inboxes to have been compromised in a single phishing campaign.

These breaches can be extremely costly to resolve, as each message must be checked to determine whether it contains PHI or PHI. Even a small-scale email breach may cost $100,000 to resolve, while larger breached can easily cost in excess of $2 million. “Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services.

A case study was included in the report detailing the high cost of healthcare phishing attacks. An employee received a phishing email with a link to a website that appeared official, which required that person to enter their email account credentials. That gave the attacker access to that individual’s email account, which was then used in further attacks on the organization.

A forensic investigation revealed the attacker gained access to 20 email accounts and that the method used would have allowed all 20 of those mailboxes to have been downloaded. The messages were programmatically searched for PHI, although 350,000 documents in the email accounts could not be searched and required a manual check. The cost of paying a vendor to search those documents cost $800,000. A further $150,000 was spent on notifications and credit monitoring services.

Main Causes of Data Breaches in Q2, 2018

Across all industry sectors, the main causes of data breaches were hacks and malware attacks (39%) and accidental disclosures (22%). Even though the number of email attacks increased, hacks and malware attacks decreased by 3% compared to Q1, 2018. The decline was attributed to a fall in ransomware attacks.

The Beazley report shows the main cause of healthcare data breaches was accidental disclosures, which accounted for 38% of all breaches reported to BBR Services in Q2, 2018. That represents an increase of 29% since Q1, 2018. Hacking and malware attacks accounted for 26% of healthcare data breaches. 14% of breaches were insider incidents, 7% involved loss of physical PHI, 6% were due to the loss/theft of portable devices and 4% were due to social engineering attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.