2018 Phishing attack breaches reported NOW
Writing in Health IT Security, Reporter Jessica Davis noted that the University of North Carolina-Chapel Hill’s School of Medicine just reported on a potential month-long breach that occurred in mid-2018. UNC joins a long line of healthcare providers/organizations reporting phishing attacks. The phishing scheme potentially breached protected healthcare information for approximately 3,716 patients for one month.
Healthcare is a soft phishing target
Davis reports that it is unclear when officials first discovered the breach, but a third-party forensic firm investigating notes that an unauthorized, third-party was able to access several employee email accounts between May and June 2018. Compromised data included names, birth dates, contact information, medical information, social security numbers, credit card or financial account data and other information.
The investigators indicate that no medical record systems or other patient care systems were impacted, and the university is giving patients whose social security numbers were compromised a year of free credit monitoring. But is that enough? Hard to say. To lock the door following the breach, UNC’s School of Medicine also implemented a multi-factor authentication system and improved its employee training around phishing.
Another breach Davis reported in the same article, New England-based Starling Physicians also reported a phishing breach that began earlier this year. Several employee email accounts were breached, which in turn provided hackers with access to patient personal and health data.
Healthcare is seen as a soft target for these attacks where several employees are taken in by emails from “known” senders whose accounts have been compromised. Previously, Davis, reported that lateral phishing attacks on healthcare organizations through employee email accounts are on the uptick. Hackers, she says, are leveraging phishing attacks using compromised email accounts within an organization to target other users from within the enterprise.
Hackers tap human nature to impersonate known users
Davis reports that phishing continues to be one of the healthcare sector’s most common threats. Moreover, she adds, hackers increasingly are tapping into social engineering and human nature rather than technical flaws in an organization’s IT.
Examples are executive impersonation and spoofing. She notes that nearly all healthcare organizations targeted by hackers discovered hacker emails coming from their trusted domains. These imposter emails typically use subject lines like payment, request, or urgent, and imitate the style of a known user.
Can compliance protect patient data?
It helps to lock the barn door before the horse is lost. Vigilance matters. As does training. Increasing employee vigilance and encouraging employees to check in with “known” senders, often in the C-suite or higher in the management hierarchy, making slightly unusual requests. A quick phone call or check of the sender’s email address for a “typo,” takes seconds. Assuming employees will actually do it.
Collect and protect email and other data
Regardless of industry or in some cases, geography (Healthcare/Financial Services/Insurance – in the US or Canada), no one is immune from oversight and regulatory compliance. Nor is it possible to completely eliminate bad actors. However, a vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. That’s where Patrina can help. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s compliant data capture & file storage, and records archiving specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered.Let’s talk.