Phishing Attack on NCH Healthcare System Resulted in the Compromise of 73 Email Accounts

The last phishing attack on Bonita Springs, an NCH Healthcare System based in Florida, highlighted the great importance of providing healthcare employees with security awareness training.

Bonita Springs detected the attack on June 14, 2019 after identifying suspicious email activity in connection with its payroll system. The investigation showed that an overwhelming 73 employees disclosed their account information to hackers after responding to the phishing emails.

It is typical for healthcare companies to discover an email account breach and later find out that the attack was more serious than initially imagined. Quite often, a number of emails accounts are compromised due to lateral phishing or the sending of phishing emails to other people within the organization using a compromised email account. But this particularly extensive breach rarely occurs.

The investigation of the attack by NCH Healthcare system is still ongoing with the help of a third-party computer forensics company. The preliminary investigation findings show that the intention of the attackers is not to obtain PHI, but to reroute payroll payments.

On July 2, 2019, the forensic team confirmed the exposure of some patient data because of the attack. However, there was no confirmed report yet regarding the types of information compromised as the investigation is still in progress. Impacted people will receive notification accordingly after the investigation is finished.

Most likely that process will take longer considering the magnitude of the breach and the number of emails accounts compromised that ought to be examined to identify if they have patient protected health information (PHI).

NCH compliance officer Kelly Daly mentioned that because of the security procedures in place before the phishing attack, the harm done was limited. If there were no security measures, more company employees may have become victims of the scam.

There was no report received so far that indicate the misuse o patients’ PHI, but patients are instructed to keep track of their explanation of benefits statements and financial accounts for indications of identity theft or misuse of their private data.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at