In June, the health systems saw unusual activity in an employee’s email account prompting investigation. Methodist Hospitals determined that two employees fell victim to a phishing attack. Collectively, the unauthorized third-party had access to the email accounts between March 13 and July 8. Methodist Hospitals said there is no evidence that any patient information has been misused.
One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8.
The patient data that was potentially compromised includes the following:
Names,
Addresses,
Health insurance information,
Group identification numbers,
Social Security numbers,
Financial account numbers,
Payment care information,
Medical record numbers and treatment information.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 68,039 patients have been affected by the breach.
Discussing the matter with Digital Journal, Peter Goldstein, CTO and co-founder, Valimail states: “Phishing attacks continue to be a leading cause of data breaches, as shown with the recent breach targeting Indiana-based Methodist Hospitals.”
He goes on to explain the intricacies of the specific attack: “In fact, spear-phishing plays a role in at least 90 percent of all cyberattacks and is a highly effective tactic leveraged by cybercriminals.”
He also notes that the health system is an especially attractive target for such attacks: “Because medical records contain an abundance of personal information, including Social Security numbers, addresses, payment information, and insurance information, they are highly valuable on the dark web, allowing cybercriminals to commit insurance fraud, account takeover and identity theft.”
In terms of what needs to be done, Goldstein assesses the vulnerabilities of email: “Many organizations invest in employee email security training to prevent these kinds of attacks. However, the pressure to identify fraudulent emails should not solely be on the employees, as modern phishing attacks are extremely hard to identify due to convincing impersonation techniques (used in over 80 percent of all spear phishing messages) and sophisticated social engineering.”
And in terms of lessons to be learned, Goldstein surmises: “This incident demonstrates how healthcare organizations and other companies need email security systems that validate and authenticate sender identity before an email reaches an employee inbox.”