Phishing Attack Suffered by Brigham and Women’s Hospital
Boston’s Brigham and Women’s Hospital has alerted patients to a security breach after a phishing attack compromised the email account of a hospital employee. 1,009 patients have been affected by the cyberattack.
Phishing Attack Suffered by Brigham and Women’s and Brigham and Women’s Faulkner Hospitals
Late last year, a Brigham and Women’s Hospital employee fell victim to a phishing attack that resulted in the login credentials of an email account being divulged to the attacker. The email account contained a limited amount of PHI of a small percentage of patients of both the Brigham and Women’s and Brigham and Women’s Faulkner Hospitals in Boston.
According to a breach notice posted on the Brigham and Women’s Hospital website, only one email account was compromised and the electronic health record system was unaffected. Financial account information, Social Security numbers and health insurance numbers were not compromised in the attack, although affected patients have potentially had the following information disclosed: Name, medical record number, date of birth, date of service, provider name, health diagnoses and treatment information.
While access to the email account was provided to the attacker, the hospital has not received any reports that patient data have been used inappropriately. Breach notification letters were mailed to all affected patients on January 11, 2016., to alert them to the privacy breach.
The unauthorized accessing of the email account was discovered on November 13, 2015., although the breach notice does not indicate when the attack actually took place.
Phishing Attack Highlights Need to Conduct Regular Anti-Phishing Training
The data breach highlights the risk of phishing attacks being suffered by healthcare providers and demonstrates how important it is for healthcare providers to conduct regular training sessions on phishing avoidance to manage that risk. Regular anti-phishing training exercises have been shown to be highly effective at preventing phishing attacks from being suffered. The more times phishing exercises are provided; the better staff members get at identifying potential phishing emails.
The phishing attack has prompted Brigham and Women’s Hospital to enhance the technical safeguards used to secure network credentials and further training on network and email security is being provided to members of its workforce in an effort to prevent further cyberattacks from being suffered.
Previous security incidents affecting Patients of Brigham and Women’s and Faulkner Hospitals
Patients of Brigham and Women’s Hospital and Brigham and Women’s Faulkner Hospital were affected by the Partners Healthcare System phishing attack reported to OCR in May last year. 2,252 patients were also impacted by three separate privacy breaches suffered in 2011, 2012, and 2014, each of which involved the theft of unencrypted devices used to store ePHI.