Email Account of Billings Clinic Worker Hacked During Overseas Trip

The email account of an employee of Billings Clinic in Billings, MT, that contained the protected health information of 8,435 patients, has been compromised.

The breach was detected by the clinic’s cybersecurity systems on May 14, 2018, with unusual activity triggering an alert. Rapid action was taken to secure the account, although it is possible that the PHI of patients could have been viewed or copied.

The information in the account was limited. No financial information was exposed, access to medical records was not gained, and no Social Security numbers were stored in the account. Data in the account had been used for scheduling purposes and related to patients who received medical services between 2008 and 2011.

The breach was limited to names, dates of birth, contact information, diagnoses, descriptions of medical services provided, medical record numbers, and internal financial control numbers. The investigation confirmed that the breach was limited to a single email account.

While data breaches such as this can easily be caused as a result of employees responding to phishing attacks, in this case access is believed to have been gained by another means. The employee concerned had recently travelled overseas on a medical mission. The email credentials were obtained by the unauthorized individual while the employee was away on the trip.

Login credentials can easily be intercepted when connecting to unsecured public Wi-Fi networks, or if a connection is made to a rogue Wi-Fi hotspot.

Any healthcare organization that permits employees to take devices containing PHI overseas, or allows workers to access protected health information remotely, should ensure employees undergo security awareness training and are made aware of the risks of connecting to public Wi-Fi networks.

Policies should also be created that require those employees to only connect to the Internet via a virtual private network (VPN). It is also important to ensure VPN software is kept up to date and it is advisable to implement a web filtering solution to protect workers when not on the corporate network.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.