Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Phishing Attack: Clinic Says 450,000 May Have Been AffectedFlorida Practice Says Incident Involved Fraud Attempt
An Orlando-based family physicians' practice is notifying nearly 450,000 patients, employees and others about a phishing incident tied to a financial fraud attempt.
In a recent statement, Orlando Family Physicians acknowledges it was the victim of a phishing email incident that potentially resulted in unauthorized access to personal information contained in four employees’ email accounts.
"The available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals," the practice says. "Nonetheless, we are notifying affected individuals because of the possibility that the unauthorized person had access to personal information."
Orlando Family Physicians did not indicate whether the financial fraud attempt against the practice was successful.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that the practice reported the incident as affecting more than 447,000 individuals.
But the practice's website says it has served "well over 100,000 patients" in the region for more than 20 years.
Orlando Family Physicians did not immediately respond to Information Security Media Group's request for additional details about the incident.
In its breach notification statement, the Florida practice says that on April 15, an unauthorized person accessed the email account of an employee by obtaining their user ID and password through a phishing email. "We immediately took steps to contain the incident and began an investigation to determine its scope," according to the statement.
The practice identified three additional employee email accounts that the unauthorized person had accessed and began an extensive review of the affected email accounts to determine whether they contained personal information.
"We terminated the unauthorized access to each of the four affected employee email accounts within 24 hours of the initial unauthorized access to the account," the practice says.
On May 21, the practice discovered that there may have been unauthorized access to personal information contained in the four email accounts, the notification statement says.
On July 9, the practice identified the patients, prospective patients, employees and other individuals whose personal information was in the affected email accounts. That information included names, demographic information and health information, including diagnoses, providers and prescriptions.
Also contained in the compromised emails were individuals' health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number, medical record number, patient account number, and passport number.
The practice says it has enhanced its data security measures and is also providing supplemental email security training to its employees.
Orlando Family Physicians' breach notification encourages those individuals affected "to remain vigilant for threats of fraud and identity theft by regularly reviewing your account statements and credit reports."
The statement does not indicate whether the practice is providing prepaid credit and identity theft monitoring to any of the affected individuals.
The incident illustrates the risks posed by using email to share personal information.
"Controlling what types of documents employees attach to emails is a very difficult task, particularly if it is in internal emails that may be considered secure in the internal network," says regulatory attorney Marti Arvin of the privacy and security consultancy CynergisTek.
"There may be a need to reeducate employees about what should and should not be in emails and to ideally reference files on a shared drive rather than attach them to emails," she notes. "They may also need to review the organization’s email retention policy."
In the Florida incident, "given the volume of records involved, it would not be surprising to learn there were emails that span a long period of time," she notes.
Healthcare organizations need to scrutinize whether they should allow PHI to be transmitted via email systems, Arvin says.
They also should review their email retention policies "and potentially reeducate employees if they are not in compliance," she adds. And they should "only retain 'necessary' emails in archives. Much of the information in the emails is likely stored in another location, which is the source of truth, so there is no need to keep the 'old' emails barring a litigation hold."