Wise Health System Phishing Attack impacts 35,899 Patients

Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 35,899 patients have potentially been affected.

The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits.  Attempts were made to redirect approximately 100 direct deposit payments.

Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5 and the unusually high number of checks raised the alarm. Thanks to the two-check policy, the fraud was prevented and no payments were redirected.  A system wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate the breach.  The breach was also reported to the FBI.

The sole purpose of the attack appears to have been to reroute direct deposits, although the stolen credentials would have allowed access to be gained to employee email accounts. Those accounts contained patients’ names, medical record numbers, diagnostic information, treatment information, and health insurance information.

Wise Health System does not believe PHI was accessed by the attackers and no reports have been received which suggest any patient information has been misused. Both forensics firms and the FBI share that point of view. The investigators all agreed they have never seen a direct deposit attack such as this where the attackers have stolen patient data. These gangs specialize in direct deposit fraud. The attackers in this case were traced to Africa by the FBI, which has now closed its investigation.

Since unauthorized PHI access and data theft could not be ruled out, to ensure patients are protected, notification letters were sent on July 12, 2019 and affected patients have been offered a 12 month complimentary membership to ID Experts MyIDCare service (Credit monitoring, Identity theft recovery, and insurance coverage).

Wise Health System is reviewing its security policies and procedures and will be taking steps to reinforce security.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.