University of Minnesota Physicians recently experienced a phishing attack that permitted unauthorized people to obtain access to two workers’ email accounts. One email account was accessible from January 30 to January 31, 2020 and the other email account on February 4, 2020 for a short time period.
Upon learning about the breach, University of Minnesota Physicians secured the accounts immediately and had engaged third-party forensic investigators to evaluate the nature and extent of the breach. The analysis did not show any evidence that suggests the attacker viewed the emails in the accounts or obtained patient data. However, the possibility of data access cannot be ruled out with a sufficiently high degree of certainty.
An evaluation of the compromised email accounts revealed they held the protected health information (PHI) of some patients. The types of information in the accounts varied from one patient to another and may have included name, address, birth date, date of service, date of death, contact number, medical record number, account number, payment card number, health insurance details, and medical data. The Social Security number of a number of patients were also exposed.
University of Minnesota Physicians began sending breach notification letters to affected persons on March 30, 2020, although the investigation was still in progress. That investigation is completed now. The delay was because of the meticulous and lengthy process required in identifying the relevant information.
University of Minnesota Physicians stated that when the attack occurred, several email security controls were in use such as multi-factor authentication, regular training of employees on privacy and security awareness, and conduct of phishing simulations.
More technology has now been put in place to further improve security. Employees undergo refresher security training. University of Minnesota Physicians also offered the affected individuals free credit monitoring and identity theft protection services for 12 months through Kroll.
The Office for Civil Rights breach portal posted the breach report on March 30, 2020 indicating that the attack impacted 683 individuals.
Email Account Breach at McLeod Health
Mcleod Health in South Carolina discovered that an unauthorized individual accessed an employee’s email account. It detected suspicious email activity on June 23, 2020 and quickly secured the email account.
A thorough forensic evaluation was performed to know the nature and magnitude of the breach, which showed the email account breach happened between April 13, 2020 and April 16, 2020. McLeod Health stated on August 19, 2020 that the attacker downloaded the content of the email account in April.
McLeod Health is conducting an evaluation of the impacted email account to find out what data the attacker acquired and which patients were affected. Notifications will be sent to affected persons when the review is finished.
McLeod Health had used multi-factor authentication previously to avoid the use of compromised credentials to get access to email accounts; even so, some internal settings had kept it from being applied on a few devices. That problem is now being resolved and extra security awareness training is offered to employees.