A phishing attack on the Medical College of Wisconsin resulted in the potential exposure of protected health information of 9,500 patients. The attack enabled unauthorized access to several employees’ email accounts, which stored sensitive information of faculty staff and patients.
The compromised email accounts provide information including names, dates of birth, addresses, medical diagnoses, medical record numbers, treatment information, surgical details, dates of service and health insurance details. Some individual information included Social Security numbers and bank information.
The phishing attack happened in a span of one week from July 21 to July 28. Phishing emails were sent to specific persons working at the Medical College of Wisconsin. Several people responded to the emails, hence the attackers got access to their email login credentials.
Medical College of Wisconsin called upon the assistance of a computer forensics firm to look into the phishing attack. The firm did confirm that unauthorized people accessed the email accounts, but they cannot confirm whether the attackers viewed, accessed or stole protected health information. The good news is there has been no report of patient information misuse.
Medical College of Wisconsin provided free credit monitoring and identity theft protection services to the breach victims whose Social Security numbers were exposed. In addition to the victims who were from Medical College of Wisconsin, some patients of Children’s Hospital of Wisconsin and Froedtert Health were affected. This is the latest phishing attack on Medical College of Wisconsin after a previous incident 10 months ago resulting in the exposure of 3,200 patients’ PHI.