Email Phishing Scam Results in Healthcare Organisation Breach

Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true intent. The past few weeks alone have seen several attacks reported by healthcare organizations. The latest healthcare phishing attack is also one of the most serious recorded, having affected as many as 16,562 patients.

Chase Brexton Health Care reports that this attack occurred on August 2 and August 3, 2017. The attack occurred when multiple phishing emails, which took the guise as surveys, were delivered to the inboxes of its employees. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials.

On August 2 and 3, the accounts of those employees were accessed by the hackers immediately. They directed employee payments made by those affected to their own bank account. The phishing attack was discovered on August 4, access to the employees’ accounts was blocked.  

Although the phishing attackers did not appear to attempt gaining access to patient information, it is possible that some patients’ PHI was viewed. Therefore, there is also a risk that it was potentially stolen. In compliance with HIPAA’s Breach Notification Rule, Chase Brexton Health Care has notified patients of the breach and informed them that PHI access is not suspected. In response to the risk that their information could be used for malicious purposes, patients are being offered complimentary identity theft repair services.

The types of information potentially compromised was limited to names, addresses, dates of birth, patient ID numbers, provider name, diagnosis codes, service location, line of service, visit descriptions, medication details, and insurance information.
An investigation was launched into the attack, and has not yet been completed. While details of the attackers’ bank account are known, the individuals responsible for the attack have not been identified. A third-party security firm has been contracted to help investigate the attack.

Aside from blocking access to the compromised accounts by changing passwords, Chase Brexton Health Care has implemented a new email spam filtering solution to improve protection against phishing attacks, staff have received additional training, and new security protocols have been implemented.