Staff Email Accounts Compromised in City of Hope Hospital Phishing Attack

A phishing attack on California’s City of Hope Hospital has resulted in four staff email accounts being compromised. Three out of the four compromised email accounts contained a limited amount of protected health information, although the hospital does not believe the attack took place with a view to obtaining patient data. A press release from the Duarte hospital indicates the attack was most probably conducted in order to obtain contact information to use to send spam emails.

A forensic data analysis organized by the hospital revealed that, in the majority of cases, patients only had their name and medical record number exposed. Some patients had more data exposed, including their date of birth, email address, telephone number, home address, dates of service, test results, and medical diagnoses. Only one Social Security number was exposed.

The City of Hope Hospital phishing attack took place between January 18, and January 24, 2016. It is not clear how long it took security staff at the hospital to discover the attack, although prompt action was taken once the intrusion was detected to limit the damage caused.

Email accounts were shut down and an external computer forensics company was hired to investigate the attack and determine the extent to which its systems had been compromised. The company also evaluated the hospital’s systems processes and helped the hospital strengthen its cybersecurity defenses to prevent future attacks from occurring. The forensic analysis was completed on February 18, 2016, after which breach notification letters were sent to affected patients. Local law enforcement has been alerted to the security breach as have the Office for Civil Rights and state agencies.

City of Hope Hospital Phishing Attack Highlights the Importance of Anti-Phishing Training

The City of Hope Hospital phishing attack is just one of a large number of attacks on healthcare providers over the past few months. In this case the data exposed in the attack was minimal, but other healthcare providers have not been so fortunate.

The incident highlights the importance of conducting regular staff training sessions to help employees identify phishing emails. A study conducted by Phishme in 2015 showed that phishing email identification exercises are a highly effective method of reducing risk. Training employees using mock phishing emails can help them to hone their phishing email identification skills, which can reduce the risk of malware being installed or sensitive data being revealed to scammers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.