Patients of Wise Health System in Decatur, TX received notification regarding the potential exposure of their protected health information (PHI) because of a phishing attack. About 35,899 patients were affected by the breach.
The phishing attack on March 14, 2019 entailed the receipt of phishing emails by some employees. Those who responded to the phishing email ended up giving away their account login details. The attacker(s) then accessed the Employee Kiosk using the credentials and made an effort to reroute 100 payroll direct deposit payments.
According to Wise Health policies, it is necessary to print a paper check after two successive payrolls following a change in direct deposit details. The printed payroll checks on April 5 was atypically big and so the payroll department was alarmed. Thanks to the two-check policy, the scammers did not succeed in redirecting payroll payments. The payroll department changed the entire system password immediately to block the scammers. Two third-party forensic firms investigated the incident, at the same time, Wise Health notified the FBI about the breach.
It seems that the attackers’ only motive was to reroute the direct deposits. Even so, they could use the stolen credentials to access the accounts of the employees, as well as the names of patients, their diagnostic information, treatment data, medical record numbers and health insurance data contained in them.
Wise Health System is convinced that the attackers never accessed the PHI. There was no report, both from the forensics companies and the FBI, that patient information was misused. The investigators admitted that this direct deposit attack was the first of its kind that they’ve seen. Before the case was closed, the FBI traced the origin of the attackers, who were direct deposit fraud experts, from Africa.
Since the probability of unauthorized data access and theft cannot be ruled out, the patients received breach notification letters on July 12, 2019. And to make certain they are secured, Wise Health offered the patients free membership to ID Experts MyIDCare service for one year covering insurance, credit monitoring and Identity theft recovery.
The security policies and procedures of Wise Health System is under review and will have changes to improve security.