A thorough interview of emails and email attachments in the account revealed they included the following patient details: Names, dates of birth, medical record info, patient account details, limited treatment and/or clinical information, including diagnoses, suppliers, and laboratory test outcomes. Some patients also had their health insurance information and/or Social Security numbers breached.
Impacted clients have been informed of the breach and anyone who may have had their Social Security number were potentially stolen has been offered with free membership to credit monitoring and identity protection services.
Washington University School of Medicine has put in place a process to improve email security and has conducted further education for its employees to allow them to spot phishing.
Elsewhere, the Doctors Community Medical Center in Maryland discovered a data breach during January 2020 when suspicious activity was spotted in its payroll system.
A review into the breach indicated that a small number of employees had been tricked by phishing emails and had shared their account credentials to the cybercriminals. Along with accessing the staff email accounts, the hackers also had were able to view payroll information.
The investigation revealed that the first accounts were accessed on November 6, 2019, with access available until January 30, 2020.
On February 13, 2020, Doctors Community Medical Center announced that some of the compromised email accounts contained data sheets that included patient data. Due to this a complete review of systems was conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or shared, although no reports have been submitted to suggest patient information has been improperly used. Since unauthorized data access could not be discarded, patients have been contacted and offered complimentary credit monitoring and identity restoration services to half safeguard their data.
The group is current devising new policies and procedures, with extra safeguards, to prevent potential attacks.