HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees.

Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed.

While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers.

Phishing attacks such as this are common. Emails are sent to healthcare employees that appear to be legitimate communications. The emails typically include hyperlinks that, when clicked, require login details to email accounts to be entered. Entering in that information provides the credentials to the attackers, who then use the information to remotely login to email accounts.

Preventing phishing attacks requires a combination of spam filtering technology to prevent phishing emails from reaching inboxes and education to teach employees about the risk from phishing and how to identify phishing attacks.

In response to the breach, Morehead Memorial Hospital is providing staff members with additional training to help them identify fraudulent communications. An internal webpage has also been created to communicate further information about phishing and email attacks to keep staff better informed.

The incident has been reported to the FBI, Department of Homeland Security and Office for Civil Rights. Patients were notified of the breach by mail on Friday last week and all have been offered identity theft monitoring services for 12 months without charge.

Morehead Memorial Hospital has said the breach impacted approximately 66,000 patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.