Healthcare Data Breaches Due to Phishing

Phishing is a leading cause of healthcare data breaches and attacks have been increasing. According to the 2022 IBM X-Force Threat Intelligence Index, phishing is the leading infection vector in cyberattacks. In 2021, four out of 10 attacks started with phishing, which is an increase of 33% from 2021. The Anti-Phishing Working Group (APWG) said phishing attacks have doubled since 2020.

Phishing attacks provide cyber threat actors with an easy way to reach their intended targets and the attacks work because a small but significant number of emails attract a click. According to the 2022 Verizon Data Breach Investigations (DBIR) Report, phishing simulation data shows that 2.9% of phishing emails are clicked, on average.

Phishing is used to steal credentials allowing threat actors to access accounts containing sensitive data. Phishing is used to gain access to email accounts for conducting business email compromise attacks. According to Verizon’s data, 41% of BEC attacks involved obtaining credentials from phishing. Phishing is also used for malware delivery and is a key vector for gaining initial access to networks for conducting ransomware attacks.

Phishing attacks are becoming increasingly sophisticated, and with the volume of attacks also increasing, blocking these cyberattacks is a key priority for security teams. A 2021 survey by Ironscales revealed email phishing is the top concern of 90% of IT professionals due to the damage that can be caused and the resources that need to be devoted to dealing with attacks. In the survey, 52% of IT professionals said they spend an equal amount of time dealing with phishing attacks as they do on other cybersecurity issues, and 37% said resolving phishing attacks is the most resource-consuming task compared to other attacks.

More than 80% of organizations represented in the survey said they had seen an increase in phishing attacks since the start of the pandemic, and that data is backed up by IBM, which reports that 17% of companies experienced a data breach due to phishing in 2021.

The Cost of Phishing Attacks

Phishing attacks can have major financial implications for healthcare organizations. According to a 2021 survey conducted by the Ponemon Institute on behalf of Proofpoint, the cost of phishing attacks has quadrupled over the past 6 years. The average cost of a phishing attack is now $14.8 million per year for companies in the United States, up from $3.8 million in 2015. U.S. companies spend $6 million a year on recovery from business email compromise attacks (BEC), and companies with an average of 9,567 employees lose 65,343 hours per year due to phishing attacks.

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) 2021 Internet Crime Report shows there were 323,972 complaints made about phishing attacks in 2021, making it the biggest cause of complaints in terms of the number of victims, with reported losses of $44,213,707 in 2021. There were 19,954 complaints about BEC attacks, which often involve phishing. $2,395,953,296 was lost to BEC attacks in 2021, with $43 billion known to have been lost to BEC scams between June 2016 and December 2021.

Phishing-related Healthcare Data Breaches

As required by the HITECH Act, the Department of Health and Human Services (HHS) started publishing summaries of healthcare data breaches of 500 or more records in 2009. From October 1, 2009, to December 31, 2021, there have been 4,419 reported breaches of the protected health information of more than 500 individuals, and data breaches have been increasing every year. More than 800 of those breaches – around 18% – are listed as healthcare phishing attacks or involved the hacking of email accounts, not including all the malware and ransomware attacks that started with a phishing email.

Phishing is the most attack vector in U.S. healthcare cyberattacks. The 2021 HIMSS Healthcare Cybersecurity Survey found phishing and ransomware attacks were behind the most significant security incidents, with 57% of respondents saying their most significant security incident involved phishing.

Phishing attacks frequently result in data breaches of hundreds of thousands of records, and in several cases, millions of records have been stolen after employees disclosed their credentials or downloaded malware by responding to phishing emails. Listed below are some of the largest and costliest healthcare phishing attacks to be reported over the past few years.

Anthem Inc.

In February 2015, Anthem Inc. announced it has suffered a cyberattack and data breach, which turned out to be the largest healthcare data breach ever reported involving 78.8 million records of its plan members. The cybersecurity firm Mandiant confirmed the attack started on February 18, 2014, when a user at one of Anthem’s subsidiaries opened a phishing email. That action triggered the download of malware which allowed hackers to remotely access computers and move laterally to other systems. The attack saw at least 50 accounts and 90 systems compromised, including Anthem’s data warehouse.

Premera Blue Cross

Also in 2015, the health insurer Premera Blue Cross announced that the records of 10.4 million current and former health plan members had been compromised. The compromised records included credit card numbers, Social Security numbers, and other sensitive data. The cyberattack started in May 2014 with phishing emails that were used to install malware. The malware provided the hackers with access to Premera Blue Cross systems, where they remained for more than 9 months undetected.

Iowa Health System (UnityPoint Health)

Between March and April 2018, a phishing campaign targeted UnityPoint Health and resulted in several employee email accounts being compromised. The phishing emails appeared to have been sent internally from a UnityPoint executive. The compromised accounts contained the protected health information of 1,421,107 patients, with the attack believed to have been conducted to try to divert payroll and vendor payments. This was the second major phishing attack to be reported by UnityPoint Health that year, with 16,429 records compromised in an earlier phishing attack.

MEDNAX Services, Inc.

MEDNAX Services is a Florida-based HIPAA business associate that provides revenue cycle management and other administrative services to healthcare organizations. In December 2020, MEDNAX announced that a hacker had gained access to multiple email accounts within its Microsoft 365 environment in June 2020. Those accounts contained the protected health information of 1,290,670 individuals. MEDNAX was providing support and services to the North American Partners in Anesthesia-owned American Anesthesiology business, and the records of 1,269,074 American Anesthesiology patients were compromised.

Magellan Health Inc.

In April 2020, the Fortune 500 insurance company Magellan Health experienced a sophisticated social engineering phishing attack that involved the impersonation of one of its clients. Through that attack, the hackers gained access to its network and deployed ransomware. The breach was reported as affecting 1,013,956 Magellan Health members, but other Magellan units were also affected. In total, around 1.7 million records are believed to have been compromised. The previous year, a phishing attack was reported by Magellan Health that affected 55,637 plan members.

County of Los Angeles Departments of Health and Mental Health

In May 2016, a couple of months after experiencing a ransomware attack, the County of Los Angeles Departments of Health and Mental Health was targeted in a phishing campaign. This incident highlights just how important it is to provide security awareness training to the workforce. The email accounts of an astonishing 108 employees were compromised when the employees responded to the phishing emails. Those email accounts contained the protected health information of 749,017 individuals.

Oregon Department of Human Services

In May 2019, the Oregon Department of Human Services was targeted in a spear phishing attack that fooled 9 employees and allowed the attackers to access their accounts for 19 days. The email accounts contained the personal information of clients in welfare and children’s services programs, including names, addresses, and Social Security numbers. 625,000 individuals were affected.

Financial Penalties for Phishing Attacks

In addition to the cost of remediating phishing attacks, issuing breach notification letters, and paying for identity theft protection services for breach victims, financial penalties may be imposed by regulators.

The HIPAA Security Rule requires HIPAA-regulated entities to implement technical, administrative, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. The failure to implement appropriate safeguards to reduce the risk of phishing attacks can result in HIPAA compliance penalties.

In 2015, University of Washington Medicine was hit with a $750,000 financial penalty for a malware-related data breach that started with a phishing attack. The attack involved a spoofed email with an email attachment that contained malicious code that downloaded malware.

The phishing attack that provided hackers with access to Anthem’s systems resulted in a $16 million penalty from the HHS’ Office for Civil Rights to resolve the HIPAA violations. Anthem also settled a multi-state action with state attorneys general and paid a penalty of $48.2 million. The Premera Blue Cross cyberattack started with a phishing email and led to an OCR HIPAA penalty of $6.85 million and a $10 million multistate settlement.

Four Pillars of Phishing Defense

Phishing attacks are increasing in sophistication as well as number. While it was once sufficient to block phishing emails with a spam filter or email security gateway, the changing tactics, techniques, and procedures of threat actors and the sheer number of attacks mean a single cybersecurity solution is no longer sufficient. To block phishing attacks, it is necessary to adopt a defense-in-depth strategy that incorporates multiple overlapping layers of protection. Listed below are the four pillars of phishing defense that are needed to deal with these email threats.

1.     Email Security

The primary technical defense against phishing attacks is a secure email gateway or spam filter. This first layer of phishing defense analyzes all inbound and outbound emails for malicious content, spam, and junk mail. Provided either as an appliance, virtual appliance, software solution, or cloud service, these anti-phishing solutions protect against all email-borne threats. They include anti-virus engines for detecting malware and malicious code, and often provide behavior-based detection to block novel malware variants through sandboxing.

Phishing protection is provided by analyzing the headers of emails and blocking known malicious IPs and checking that the senders of emails are authorized to use the email address/domain. Secure email gateways assess the content of emails for keywords indicative of phishing emails and follow hyperlinks in emails to identify malicious websites.

Outbound filtering is used for data loss prevention to prevent PHI and other sensitive information from being sent externally, and for identifying compromised mailboxes that are being used to send phishing emails internally and externally to contacts. These solutions will block more than 99% of spam emails, known malware, and most phishing emails.

2.     Web Security

Email security solutions should be augmented with a web security solution. A web security solution adds an extra layer of protection and tackles phishing attacks from a different angle, by blocking access to the websites where credentials are harvested or malware is hosted. Web security solutions provide time-of-click protection against attacks involving malicious hyperlinks. This is important as many email security solutions struggle to identify malicious links in emails and it is inevitable that some phishing emails will be delivered to inboxes.

Web security solutions – often called web filters, DNS filters, or web protection solutions – contain blacklists of known malicious websites and are constantly updated with the latest threat intelligence. They analyze web content on the fly and assess sites for malicious content or the presence of certain keywords, and can be used not only to block malicious sites but also risky categories of websites such as peer-2-peer file-sharing networks. The solutions can block drive-by malware downloads and downloads of certain risky file types, such as executable files. They also provide security teams with full visibility into web traffic to allow them to take proactive steps to reduce risk and obtain detailed data for investigations.

3.     Security Awareness Training

The above technical defenses against phishing will block the vast majority of phishing attacks, but steps should be taken to reduce the susceptibility of the workforce to phishing and social engineering attacks. Phishing targets employees, who are a weak link in the security chain. Through regular security awareness training, the workforce can be taught the skills they need to identify security threats such as phishing and be conditioned to report potential phishing emails to their security teams. Verizon’s data shows that the reporting of phishing threats in phishing simulations has increased by around 10% over the past 6 years, demonstrating phishing awareness is improving through training.

Security awareness training should not be a one-time training session as part of onboarding new employees. An ongoing security awareness training should be implemented that incorporates training sessions, security reminders, and newsletters, with phishing simulations also recommended. Phishing simulations provide a baseline against which the effectiveness of training can be measured. The simulations provide visibility into weak points, such as individuals that require additional training, and the specific types of phishing emails that are fooling workforce members to guide future training efforts.

Security awareness training is required for compliance with the HIPAA Security Rule administrative safeguards – 45 CFR § 164.308(a)(5) – which call for HIPAA-regulated entities to “Implement a security awareness and training program for all members of its workforce (including management).” While the HIPAA text does not state what the security awareness training should cover, the HHS’ Office for Civil Rights has explained in its cybersecurity newsletters that training should cover phishing email identification. Financial penalties have been imposed on organizations that have failed to implement a security awareness training program – West Georgia Ambulance in 2019 for example.

4.     Multi-factor Authentication

In the event of credentials being compromised in a phishing attack, they can be used to gain access to users’ accounts. From there, an attacker could use email accounts to send internal phishing emails and compromise many different accounts, or a compromised account could provide the foothold in the network needed for a much more extensive compromise.

Multi-factor authentication is the last line of defense. With multi-factor authentication, in addition to a password, an additional form of authentication is required before access to an account is granted. That could be a token, a one-time code sent to a mobile device, or another authenticator such as a secure USB key, fingerprint, or facial scan. According to Microsoft, multi-factor authentication blocks 99.9% of automated attacks on accounts.

Summary

Phishing is one of the leading causes of healthcare data breaches. There is no silver bullet when it comes to blocking attacks. What is needed is defense-in-depth, which should involve an email security gateway, a web security solution, regular security awareness training for the workforce, and multi-factor authentication. With these measures in place, healthcare organizations will have a robust defense against phishing attacks and will be able to prevent many costly data breaches.