HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Reported by Metropolitan Jewish Health System Inc.

Metropolitan Jewish Health System, Inc., (MJHS) is the latest healthcare organization to announce it has fallen victim to a phishing attack. The incident appears to have resulted in one email account being compromised, although an investigation is still ongoing to determine if any other email accounts were also affected.

An employee of MJHS responded to a phishing email on January 18, 2016., but the breach was not discovered until January 22, giving the attacker access to the email account for four days.

As soon as MJHS learned of the incident the email account was shut down and an investigation was launched. An analysis of the data contained in the employee’s email account revealed 2,483 patients’ protected health information had potentially been compromised. MJHS did not disclose whether emails had been accessed by the attacker, but no reports have been received to suggest any PHI has been used inappropriately.

Patients affected by the data breach had previously received medical services from Menorah Center for Rehabilitation and Nursing Care; MJHS Home Care; MJHS Hospice and Palliative Care, Inc.; MJHS Institute for Innovation in Palliative Care; or were members of Elderplan Inc.

The types of data were exposed include member and patient names, ID numbers, treatment dates, medical diagnoses, and the centers where treatment was provided.

It is not clear whether the phishing attack was a business email compromise, although MJHS pointed out in its substitute breach notice that the attacker pretended to be someone else in order to obtain access to the email account and that the email appeared to be legitimate.

In response to the attack, MJHS is conducting further training to reeducate staff about the phishing risk to reduce the likelihood of further PHI compromises. A review is also taking place on email security with a view to strengthening user authentication controls.

Cybercriminals often use phishing emails to gain access to email accounts and healthcare data. The scam emails are used to fool healthcare employees into opening infected email attachments, to disclose sensitive data such as login credentials, or to click on links to malicious websites that download malware.

While technical safeguards such as email spam filters can be used to catch spam email, these solutions are never 100% effective. It is therefore essential that all healthcare employees receive training to help them identify phishing emails. Regular training on phishing avoidance and email best practices can help healthcare organizations effectively manage risk.

Employer-sponsored test attacks can help to identify employees that require additional training, while anti-phishing exercises have also been shown to be effective at improving employees’ phishing email detection skills.

The United States Computer Emergency Readiness Team (US-CERT) provides useful advice for healthcare organizations on social engineering and phishing attacks and how to avoid becoming a victim on its website.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.