HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Verity Health System Victim of Phishing Attack

Verity Health System has fallen victim to a phishing attack resulting in sensitive employee data being emailed outside the company. Employee names, addresses, Social Security numbers, amount earned in the financial year, and details of tax withheld have been disclosed to the attacker.

The breach only affected past and present employees who would have received a W-2 for the past financial year. No patient data was compromised in the breach.

An email was received on April 27, 2016., which appeared to have been sent from an individual inside the organization. The email asked for information on Verity employees, which was sent as requested. The scam was discovered just over three weeks later.

The Oregon-based healthcare provider is one of a large number of companies that have fallen victim to this kind of scam this year. These phishing attacks are often referred to as business email compromise scams, although internal email accounts are not always compromised. Oftentimes, attackers purchase a similar domain to that used by the targeted organization. The letter ‘I’ could be replaced with a 1 for example. A casual glance at the sender’s email address would not reveal anything untoward.

Attackers only need to perform a minimal amount of research to find out the name of the CEO or another high ranking executive in the company, together with a target in the accounts or HR department. An email account is then set up using the same format as that used by the company and the email request for data is sent.

The IRS issued a warning to U.S organizations earlier this year alerting them to a significant increase in this type of scam in the first few months of 2016.

Business email compromise scams are highly effective as many employees do not question requests from the CEO or C-suite executives. In many cases, requests for employee data seem perfectly reasonable.

The best form of defense against these attacks is to alert employees to the risk of BEC scams. All employees with access to employee data should receive basic training to allow them to identify BEC scams. Email spam filters can be configured to block emails from spoofed domains, and policies implemented that require 2-factor authentication before any lists of employee data are sent via email. Policies can be implemented requiring secondary sign off before any lists of employee data are emailed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.