Share this article on:
San Diego, CA-based Ron’s Pharmacy Services has discovered an email account containing limited protected health information has been compromised by an unknown individual.
Suspicious activity was identified on an employee’s email account on October 3, 2017 prompting an investigation; however, it was not until December 21, 2017 that it was determined that an unauthorized individual had accessed messages in the email account containing patient information.
An analysis of the emails in the account showed only a limited amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small number of patients also had details of their prescription medications compromised. While PHI access was confirmed, Ron’s Pharmacy is unaware of any misuse of patient information. Ron’s Pharmacy has now notified patients about the breach and reported the incident to the appropriate authorities.
In its Feb 2 substitute breach notice, Ron’s Pharmacy explained that rapid action was taken to secure the account and prevent further access. Login credentials were changed, and a third-party computer forensics firm was contracted to conduct a thorough investigation to determine the nature of the attack, its scope, and how access to the account was gained.
Employees have received additional training and policies and procedures have been updated to improve defenses against future cyberattacks of this nature.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 6,781 individuals were impacted by the breach.
Breach Highlights the Importance of Enforcing the Setting of Strong Passwords
The incident highlights the importance of implementing controls to ensure strong passwords are created by all employees. Ron’s Pharmacy, with assistance from the computer forensics firm, determined that the employees email account was compromised as a result of the attacker using software to conduct a brute force attack, which resulted in the correct password being guessed.
The use of complex passwords containing upper and lower-case letters, numbers, and special characters is recommended. Since short complex passwords are prone to brute force attacks, passwords should have a minimum length of 8 characters.
However, in its new Digital Identity Guidelines, NIST suggests using long passphrases. Long passphrases are resistant to brute force attacks and are easier for employees to remember than complex passwords of random characters.
Covered entities should also consider using rate limiting to restrict the number of incorrect attempts before access to accounts is blocked.