Phishing Attacks on Roper St. Francis Healthcare and Minnesota DHS Compromises PHI

Roper St. Francis Healthcare based in Charleston, SC experienced a large-scale phishing attack, which allowed the attackers to access 13 employees’ email accounts.

Roper St. Francis Healthcare discovered the phishing attack on November 30, 2018 and blocked the access to a company email account. Upon investigation, it was found that more email accounts were compromised. The attacker accessed the affected accounts from November 15 to December 1, 2018.

A third-party computer forensics company investigated the breach and confirmed that some compromised accounts had retained the information of patients such as names, medical insurance details, medical record numbers and the particulars of services acquired from Roper St. Francis Healthcare. For some patients, financial data and Social Security numbers were also compromised.

Roper St. Francis Healthcare mailed notification letters to all affected patients on January 25, 2019 and offered them free credit monitoring services. Although there’s potential access of PHI by the attackers, no report of PHI misuse has been received.

The HHS’ Office for Civil Rights breach portal does not list the incident yet and the exact number of patients affected is still not known.

There is another phishing attack on the Minnesota Department of Human Services, which impacted 3,000 Minnesotans. The email account of one county worker was compromised after responding to a phishing email. The attacker accessed the account on September 2018 and used it to send other phishing emails to the contacts of the employee.

Upon analysis of the compromised email account, it was found that it contained the personal information of about 3,000 people. The data included names, telephone numbers, birth dates, email addresses and details related to child protection services. The driver’s license number, Social Security number and/or financial details of 30 persons were also exposed.

The Minnesota DHS detected the phishing attack on the following day and blocked remote access to the email account. The breach notification issuance was delayed because of the time it took to analyze the email messages in the account. After the attack took place, there’s a new tool integrated in the system to detect and block phishing emails. Employees also received further training.