HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Investigation Launched into Main Life Health Spear Phishing Attack

Main Line Health has fallen victim to a spear phishing attack that has resulted in the data of employees being sent to a scammer. This is the fourth such case discovered in the past two weeks that has resulted in a breach of employee data.

The spear phishing attack was discovered on Tuesday this week, although the spear phishing email was sent to a Main Line Health employee on February 16, 2016. The employee responded to the email request for data in the belief that the email was genuine. The incident went unnoticed until Main Line was made aware of the spate of recent healthcare phishing attacks when an alert was issued by the IRS.

The attack prompted Main Line to conduct a review of internal policies and procedures to reduce the risk of future spear phishing attacks being successful, and the company will be enhancing its security procedures. All affected employees have been advised of the exposure of their data and are being offered credit monitoring and identity theft protection services to protect against fraud.

Main Line Health CEO, Jack Lynch, issued a warning about the spear phishing risk and urged all colleagues and business associates to be particularly vigilant and take steps to educate employees about the threat from spear phishing attacks.

Last month, three healthcare organizations reported that employee data had been emailed to scammers. Employees at Magnolia Health Corporation in California, New Jersey’s St. Joseph’s Healthcare System, and York Hospital in Maine were all victims of similar scams.

In response to the spate of healthcare spear phishing attacks, the IRS issued a nationwide alert on February 29, 2016., warning of the recent attacks and alerting healthcare organizations and companies in other industries of the increased threat of malware and phishing attacks. The IRS reports that so far this year, there has been a 400% increase in tax season phishing and malware incidents.

The recent spear phishing scams involved an email being sent requesting a list of employee data. The emails appeared to have been sent from the internal email accounts of high ranking executives within each organization. The data requested included Social Security numbers and salary information. The requests seemed reasonable since it is tax season.

When employees responded, rather than the email being sent to an executive, data were sent to the email scammers’ accounts.

All healthcare organizations should be particularly vigilant and on the lookout for phishing emails during tax season. All healthcare employees with access to employee data should be warned of the spate of phishing scams and advised to exercise extreme caution.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.