Phishing Attack Potentially Exposed 11,350 Sinai Health System Patients PHI


Chicago’s Sinai Health System was compromised when two of its employees’ email accounts were involved in a phishing attack. The phishing incident that took place on October 2 was immediately discovered and mitigated. Hence, potential access of the compromised accounts was only for a few hours.

Cybersecurity experts investigated the matter and believed that the risk of patient PHI access is low though not totally ruled out. There was also no evidence indicating the access of patients’ financial information. But the experts found that the employees’ email accounts held the PHI of 11,350 patients, which may have been viewed. To protect the patients impacted by the PHI breach, Sinai Health System offered them free identity theft protection and credit monitoring services for 12 months.

Phishing is a major cybersecurity threat that the healthcare industry need to deal with. According to IronScales, 90% to 95% of breaches are brought about by phishing. The anti-phishing vendor PhishMe confirms that over 90% of breaches started with a phishing email. Despite multi-layered phishing defenses, some phishing emails will still make it through to the end users’ mail inboxes.

The best security measure is to give healthcare employees continuous security awareness training.  The training will help them identify phishing emails and avoid data breaches from happening. The HIPAA actually require covered entities to regularly train their employees, although it is not stipulated how frequent it should be. Most healthcare organizations provide biannual training and publish newsletters that tackle security threats and phishing awareness. Covered entities and business associates are encouraged to use different training methods including classroom sessions, posters, newsletters and phishing simulation exercises. Healthcare organizations will further have a lower risk from phishing with the use of spam filters and anti-phishing technologies.

Wombat Security Technologies issued a recent State of the Phish report that stated employees are better now at identifying phishing emails. Only 24% of respondents failed to identity phishing emails, compared to the 28% last year. However, organizations are failing to conduct regular security awareness training programs. If security training will not be regular, a breach in security can happen more often.