Phishing is probably the biggest data security threat that healthcare organizations have to face today. In the past few weeks, several phishing attacks on healthcare organizations had been reported. One of which was really serious having a potential of affecting 16,562 patients. The phishing attackers hit Chase Brexton Health Care on August 2 and August 3, 2017. Several employees received phishing emails that take the form of fake invoices and bogus notifications of package delivery with survey offers.
Four employees unaware of the scam took the surveys. They were directed to a page requiring them to enter their login information after the survey. By logging in, they divulged their user account details. The management discovered the phishing attack on August 4 and blocked the employees’ access to their accounts. But before access was denied, the attackers have already re-routed employee payments to their own bank account.
It seemed that the phishing attack was not directed at gaining or stealing patient information. However, it is possible that some PHI were viewed or stolen. As a protocol, Chase Brexton Health Care notified its patients about the breach letting them know that PHI access is not suspected. Still, the company offered their patients free identity theft protection services. Potentially compromised information include names, birth dates, addresses, patient ID numbers, visit descriptions, provider name, service location, line of service, diagnosis codes, medication details and insurance info.
The investigators have accessed the bank account details of the phishing attackers but they have not yet identified the individuals behind the attack. Investigation by a third-party is still ongoing. Chase Brexton Health Care changed the passwords of the compromised accounts to block further access of the attackers. In addition, they implemented a new email spam filtering system to guard against future attempts of phishing. The employees were also given additional training on security protocols to avoid the occurrence of the same incident.