Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients.

Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials.

The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account.

While the aim of the phishing attack did not appear to be to gain access to patient information, it is possible that some patients’ PHI was viewed and potentially stolen. Chase Brexton Health Care has notified patients of the breach and informed them that PHI access is not suspected, although out of an abundance of caution, patients are being offered complimentary identity theft repair services.

The types of information potentially compromised was limited to names, addresses, dates of birth, patient ID numbers, provider name, diagnosis codes, service location, line of service, visit descriptions, medication details, and insurance information.

The investigation into the attack is continuing, and while details of the attackers’ bank account are known, the individuals responsible for the attack have not been identified. A third-party has been contracted to conduct an investigation into the attack.

Aside from blocking access to the compromised accounts by changing passwords, Chase Brexton Health Care has implemented a new email spam filtering solution to improve protection against phishing attacks, staff have received additional training, and new security protocols have been implemented.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.