HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Email Phishing Scam Claims 946 Victims

Even robust data security controls can be easily undone, as discovered by Middlesex Hospital in Connecticut. An email phishing scam was sent to hospital employees and four members of staff responded. This potentially resulted in the perpetrator of the phishing scam being granted access to patient PHI via those email accounts.

The security breach was discovered on October 9, 2015. An investigation into the incident revealed that 946 patients had been affected. No financial data or Social Security numbers were accessed as a result of the security breach, although it is possible that patient names, dates of birth, home addresses, medical record numbers, dates of service, prescription information, and medical diagnoses were accessed.

According to a statement released by Middlesex Hospital, the data breach did not result in full access to patient medical records being obtained.

All patients affected by the data breach have now been sent a breach notification letter advising them of the potential disclosure of their Protected Health Information, and all will be offered free credit monitoring services for a period of 12 months without charge. Additional security measures are being put in place to prevent similar breaches from occurring in the future.

More than 90 Million Patient Health Records Exposed as a Result of Healthcare Email Phishing Scams

In December 2014, Ascension Health’s St. Vincent Medical Group suffered a data breach affecting 760 patients as a result of a member of staff responding to a phishing email. Ascension Health’s Seton Healthcare Family also suffered a data breach around the same time. That email phishing scam exposed the PHI of 39,000 patients.

In April 2015, Partners Healthcare System announced it was the victim of a phishing scam. A number of employees were fooled into responding to emails in the belief they were genuine. That data breach exposed the personal information and Social Security numbers of approximately 3,300 patients.

Up to 20 employees of Franciscan Health System fell for a phishing campaign in 2014, potentially resulting in 12,000 patient records being exposed. In that incident, employees were sent a link to a website which required them to enter their usernames and passwords. Their login credentials were transmitted to the hacker’s command and control center via the phishing website.

Healthcare email phishing scams are common, and have been cited as the method criminals used to cause the two largest ever healthcare data breaches. The 78.8 million-record data breach affecting Anthem Inc., was made possible as a result of members of staff responding to phishing emails.

Similarly, the Premera Blue Cross data breach that exposed the records of 11 million health insurance subscribers was also caused as a result of staff members responding to phishing emails, as was the 4.5 million-record data breach suffered by Community Health Systems in 2014.

In the past 12 months, healthcare email phishing scams have provided criminals with access to over 90 million healthcare records.

How to Protect Networks and Email Accounts from Phishing Attacks

It is essential that all members of staff, even those without access to PHI, are trained how to identify a phishing email to reduce the risk of a data breach being suffered. Unfortunately, criminals are now producing highly convincing phishing campaigns which can be extremely difficult to identify.

Individual healthcare employees are also being targeted with spear phishing emails. The criminals behind these phishing campaigns conduct detailed research on their targets and craft emails which are likely to elicit the desired response.

Because of increasing sophistication and believability of phishing campaigns, training alone is insufficient to prevent all phishing attacks from being successful. Healthcare organizations should therefore implement a number of controls to reduce the risk.

It is essential that anti-spam solutions are implemented to catch and quarantine potential phishing emails and malware-infected email attachments. Internet filtering software can also help to prevent employees from visiting potentially malicious websites.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.