HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Saint Agnes Medical Center Victim of BEC Attack

Saint Agnes Medical Center of Fresno, CA., is in the process of notifying 2,812 employees of a cyberattack that occurred on May 2, 2016.

On Monday this week, an employee of Saint Agnes responded to a phishing email and sent copies of employees’ W-2 data to an attacker. The disclosed data included the names of employees along with their home addresses, salary details, withholding information, and Social Security numbers. The email request appeared to have come from the Chief Executive Office of Saint Agnes. The phishing attack was rapidly identified, although not before data were disclosed to the attacker.

All employees affected by the data breach have been provided with a year of credit monitoring and identity restoration services through Experian without charge. Affected employees have also been advised to contact the IRS to find out if a fraudulent tax refund has been claimed in their name.

The email scam is referred to as a Business Email Compromise (BEC) attack. This year has seen a number of BEC attacks on healthcare providers. The phishing scam is convincing as the emails appear to come from within the organization. The email account of a senior executive is compromised and an email sent by the attacker from that individuals account, or a similar domain is purchased that closely resembles that of the target company. Oftentimes the spoofed domain contains two transposed letters. At a casual glance the email appears genuine.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

BEC attacks are often successful because employees do not want to refuse requests from the CEO or other senior executives, and do not want to bother those individuals with a phone call to verify the genuineness of the request.

In contrast to the majority of HIPAA-covered entities that delay the announcement of a data breach, Saint Agnes Medical Center acted swiftly and decisively to reduce the risk of employees coming to harm as a result of the cyberattack. Just two days after the attack occurred the healthcare provider notified employees via email. The Office of the Attorney General and other agencies were also informed. The FBI was alerted to the BEC attack and is now investigating, Employees should also receive a letter in the mail in the next few days.

Rapid notification of a BEC attack is important. Victims of BEC attacks face a high risk of identity theft and tax fraud. The stolen data are used by attackers to file false tax returns in the names of the victims. Fast action can reduce the risk of harm being caused.

Salted Hash has been keeping tabs on BEC attacks this year. During the first quarter of 2016, 41 organizations in the United States had reported suffering BEC attacks. Other healthcare organizations that have been targeted with BEC attacks this year include Main Line Health, York Hospital, eClinicalWorks, CareCentrix, Endologix Inc., and Magnolia Health Corporation. On March 1, 2016., the IRS issued an alert due to the rapid rise in BEC attacks.

Unfortunately, this type of cyberattack is difficult to block. The best defense against such attacks is to conduct awareness training and to implement procedures to ensure that any request for tax data of employees is verified before an email is sent.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.