HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Wise Health System Notifies 66,934 Patients of Phishing Attack

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019.

Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020.

In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments.

Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the scam and preventing the misdirection of direct deposit payments. The large number of checks printed on April 5, 2019 raised a red flag and suggested unauthorized individuals had gained access to its systems.

Please see the HIPAA Journal Privacy Policy

A system-wide password reset was performed to lock the attackers out of the system and two independent computer forensics firms were engaged to investigate the breach. The cyberattack was also reported to the FBI. The FBI investigation revealed the attackers were based in Africa and the case has now been closed.

Wise Health System, the two computer forensics firms, and the FBI share the belief that patient information was not accessed by the attackers. The criminal gangs behind these campaigns are solely concerned with rerouting payroll direct deposits and there have previously been no confirmed reports of data theft by these gangs. However, the email credentials obtained by the attackers would have allowed them to access email accounts that contained protected health information such as names, medical record numbers, diagnostic information, health insurance information, and treatment information.

Out of an abundance of caution, affected patients have been offered credit monitoring, identity theft recovery, and identity theft insurance coverage through the ID Experts MyIDCare service for 12 to 24 months. Following the breach, Wise Health System implemented measures to improve its cybersecurity posture.

PSL Services Discovered Employee Email Account Breach

Peregrine Corporation, dba PSL Services, a provider of residential, case management, community, education, and other support services for persons with emotional and intellectual disabilities in Maine, has discovered unauthorized individuals have gained access to the email accounts of several employees from December 16, 2019 through December 19.

A breach was suspected when suspicious activity was detected in the email account of an employee. A third-party computer forensics firm was engaged to investigate the breach and discovered several email accounts had been compromised.

The types of information contained in the compromised email accounts varied from patient to patient and included names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and Medicare numbers.

The compromised accounts are being reviewed to determine which patients have been affected. The incident is still being investigated and the final number of individuals affected has not yet been determined. Affected individuals are being offered free identity theft protection services and written notices will be sent to affected individuals as soon as possible.

PSL Services is reviewing its security measures and will implement additional safeguards to prevent similar breaches from occurring in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.