HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Email Response Compromises PHI of 2,800 Patients

A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessible to cybercriminals.

Kaleida Health discovered the attack on May 24, 2017, prompting a full investigation which involved hiring a third-party computer forensic firm. An analysis of its systems showed that by responding to the phishing email, the employee had provided access to his/her email account.

While access to Kaleida Health’s EHR was not gained, the email account contained a range of protected health information of a small subset of its patients. The types of data in the account varied for each patient, but may have included names, dates of birth, medical record numbers, diagnoses, treatment and other clinical data. However, no financial information or Social Security numbers were exposed at any time.

While access to the email account was possible, no evidence was uncovered to suggest that the emails were accessed or any protected health information was viewed or copied. However, since the possibility of data access could not be ruled out with a high degree of certainty, all affected patients have been notified of the incident by mail.

Phishing has grown to be one of the most serious threats to healthcare organizations. As we have already seen this year, record numbers of successful W-2 phishing attacks have been reported and many healthcare employees have fallen for these phishing scams.

Providing security awareness training to employees can help to reduce risk, although a single training session every year is no longer sufficient. Training must be an ongoing process. As OCR suggested in its July Cybersecurity Newsletter, biannual training sessions should be provided along with monthly security bulletins that highlight the latest security threats.

Classroom-based training may not be the most effective way of raising awareness and developing a security culture in an organization. If computer-based training is provided and employees’ knowledge is tested with phishing simulation exercises, any phishing failures can be turned into training opportunities. These simulations also help to improve knowledge retention.

There are many solution providers that offer training programs and phishing simulation software, including PhishMe, KnowBe4, Wombat Security, PhishLabs, Agari, IronScales and PhishLine.

It may not be possible to reduce risk to zero, but several of those providers have been able to demonstrate that phishing simulation exercises along with employee awareness training can reduce susceptibility to phishing attacks by up to 95%.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.