HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

MJHS Phishing Attack Result in the Exposure of 28,000 Individuals’ PHI

There has been a spate of phishing attacks on healthcare organizations in the past few weeks. The increased threat of attacks prompted the Department of Health and Human Services’ Office for Civil Rights to issue a warning to healthcare organizations, urging them to improve their defenses by conducting regular security awareness training sessions for employees.

Phishing is the number one attack vector for delivering malware and successful attacks can result in the theft of considerable amounts of sensitive data. Email accounts contain a wide range of sensitive data on patients – information that can be used to commit identity theft and medical fraud, although oftentimes attacks are conducted to gain access to emails accounts for the purposes of spamming.

In the case of the phishing attack on MJHS, the motive of the malicious actor is unknown. Fortunately, rapid identification and mitigation of the attack limited the attacker’s window of opportunity. The compromised email accounts were secured before the accounts could be used to send any emails, although it is possible that the protected health information of patients/plan members may have been viewed.

On June 6, 2017, MJHS learned that an unauthorized individual gained access to the email accounts of several employees of Elderplan Inc., and on June 14, 2017 it was discovered that access was also gained to an email account of a MJHS Home Care employee.

MJHS called in a leading third-party forensic firm to assist with the investigation and determine whether any emails had been accessed or forwarded. The firm was unable to detect any suspicious activity during the short time that access to the Elderplan and MJHS Home Care email accounts was possible.

Inspection of the emails in the compromised accounts showed they contained individuals’ names, diagnoses, Medicare numbers, insurance information, treatment dates and the facilities where treatment was provided. MJHS has notified all individuals impacted by the phishing attack and has offered complimentary credit monitoring services for 12 months through Kroll.

MJHS explained to patients that no evidence was uncovered to suggest any ePHI was viewed, stolen or misused by the attacker, although as a precaution, affected individuals have been advised to monitor their Explanation of Benefits statements closely for any sign of fraudulent activity.

The phishing attack has now been reported to Office for Civil Rights. The breach reports show 22,000 Elderplan members have been affected along with 6,000 patients of MJHS Home Care.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.