Spoofed Email Scam Claims Another Healthcare Victim

Just a matter of days after Magnolia Health Corporation, CA., announced one of its employees had fallen for a spoofed email scam and emailed list of employee data outside the company, another healthcare system has made a similar announcement in what appears to be an almost carbon copy data breach.

An employee of St. Joseph’s Healthcare System, NJ, received an email request to send a list of employee names, Social Security numbers, and earnings data. A request that is perhaps not unusual in tax season. The email request appeared to have been sent from an internal email address; that of a high ranking company executive. The employee responded by sending a spreadsheet containing the names, social security numbers, and details of 2015/2016 earnings of current employees. However, the email had in fact been sent by a scammer.

Over 5,000 employees have had their names and Social Security numbers disclosed. Those employees work at either the St. Joseph’s Regional Medical Center in Paterson, NJ, St. Joseph’s Wayne Hospital in Wayne, NJ, or St. Vincent’s Nursing Home in Cedar Grove, NJ. Employees of St. Joseph’s Children’s Hospital in Paterson were not affected. The disclosure does not affect any St. Joseph Healthcare System patients.

St. Joseph’s vice president for external affairs, Kenneth Morris Jr., said that all employees have been notified of the disclosure of their Social Security numbers and earnings, and have been offered a year of credit monitoring services without charge. Morris described the scam as being “extremely sophisticated.” He said that there was no breach of internal systems, and the scam did not appear to have come from within, saying “we have no indication that it was an internal crime.”

An investigation was launched following the discovery of the scam and that investigation is ongoing. According to a statement released by St. Josephs, the employee in question realized quickly that something was peculiar and alerted a supervisor. However, that was not until after the email had been sent.

Second Spoofed Email Victim Highlights Worrying New Scamming Trend

The news comes just a few days after Magnolia Health Corporation announced that an employee had been fooled by an email sent by a scammer using a spoofed domain. The scammer used the same email format as Magnolia Health Corporation and spoofed the CEO’s email account. The email recipient responded to the request and sent a spreadsheet containing data on all current employees to the scammer.

Scams such as these have become commonplace with numerous businesses having been targeted in this manner. These social engineering scams are often carefully researched, with a target at a company being carefully selected. Scammers are able to research the company via social media websites, with LinkedIn being one of the most commonly used sites to gather information.

It is a relatively easy process to find out the format of a company’s email accounts. Scammers then purchase a domain name that appears highly similar, often with two transposed letters. An email is then sent to the target with a request for data. These scams are also commonly conducted on members of the accounts department and request bank transfers to be made. By the time the scam is uncovered, the payment has cleared, the funds have been withdrawn, and the account has been closed.

The recent targeting of healthcare providers is a concern. While no patient data have been exposed in either of these two email scams, a considerable number of healthcare employees have been affected.

Healthcare organizations should take note and should warn their employees to be ultra-cautious and extremely vigilant for scams. Any request to send data via email should be treated with suspicion, and extra care taken to check the exact format of the email used. An employee may not want to bother a senior healthcare executive or a CEO to check that a request is genuine, but attempts should be made to verify the authenticity of such a request.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.