HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Wyoming Medical Center Phishing Attack Exposes PHI of 3,184 Patients

A phishing attack on Wyoming Medical Center of Casper in February has resulted in the exposure of 3,184 patients’ protected health information.
Two employees clicked on links contained in phishing emails and compromised their accounts. The first employee to fall for the phishing scam clicked on the link on February 22, 2016, with the second employee falling for the scam three days later.

Wyoming Medical Center quickly became aware that email accounts had been compromised because the accounts were used by the attackers to send spam emails to other hospital employees. According to a statement released by hospital spokeswoman Kristy Bleizeffer, access to the email accounts was gained for 15 minutes only. As soon as the intrusion was discovered, IT staff started updating passwords to lock out the attackers.

An investigation into the breach did not uncover any evidence to suggest emails were accessed by the attacker. Due to the limited time that the email accounts were compromised it is unlikely that the attackers succeeded in gaining access to the PHI of patients. An investigation into the data breach did not uncover any evidence to suggest that PHI had been viewed or copied.

Since there is a possibility that data were viewed, all patients potentially affected by the security breach have been notified of the incident by mail. The Department of Health and Human Services’ Office for Civil Rights has also been informed of the security breach.

The data contained in the compromised email accounts include patients’ names, account numbers, medical record numbers, dates of birth, dates of hospital service, and a limited amount of medical information. No Social Security numbers, health insurance information, or credit card numbers were exposed in the phishing attack.

Matt Frederiksen, Chief compliance officer for Wyoming Medical Center said many of the emails in the account were correspondence with vendors of medical devices. The emails contained the names of patients and the type of device they required. Frederiksen explained that at no point was access to detailed medical information gained and electronic medical records were not exposed in the attack.

Under HIPAA Rules, covered entities have up to 60 days to issue breach notification letters to patients. Wyoming Medical Center sent notification letters within the allowable time frame, although it took some time to identify all patients who had potentially been affected by the security breach. Every single email in the two compromised accounts had to be checked individually.

While the security breach was deemed to be serious patients are unlikely to face a high risk of identity theft or fraud. Frederiksen said “We feel like this is very low risk.” He went on to say, “much of the information was deep into the email system.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.