Ron’s Pharmacy Services in San Diego, CA discovered that an email account containing limited protected health information of 6,781 patients was compromised. The pharmacy noticed on October 3, 2017 the suspicious activity on an employee’s email account. The matter was investigated but it was found out only on Dec 21, 2017 that the employee account containing PHI was accessed by an unauthorized individual.
The employee’s email account contained limited PHI including patients’ names, payment adjustment information and internal account numbers. Some patients’ prescription medication details were also included. Even with the confirmed access of patients’ PHI, there were no reports of misuse of information. Ron’s Pharmacy already notified the patients and the Department of Health and Human Services’ Office for Civil Rights about the data breach impacting 6,781 patients.
In a substitute breach notice, Ron’s Pharmacy explained the immediate action they took to secure the account including changing of login credentials to cut further access. A third-party computer forensics company investigated the incident to find out the nature and scope of the attack. Employees were given further training. The policies and procedures were updated to improve defenses against cyber attacks.
Ron’s Pharmacy was informed by the computer forensics company that the attacker used software to conduct a brute force attack and guess the correct password. Hence, it is important for all employees to create strong passwords instead of short passwords that are easily deciphered during brute force attacks. Another defense against attacks is limiting incorrect login attempts and blocking access.
Either use complex passwords or long passphrases. Complex passwords have a minimum of 8 characters combining special characters, numbers, upper case and lower case letters. NIST recommends using long passphrases. Passphrases are easier to remember than complex passwords and are still resistant to brute force attacks.