Phishing Leads to Healthcare BreachExperts Say More Employees Are Being Targeted
A breach affecting nearly 760 patients at St. Vincent Medical Group in Indiana is the latest example of a healthcare organization falling victim to an apparent upswing in phishing attacks targeting employees.
This is the third major health data breach since 2010 reported by St. Vincent Medical Group, a 20-hospital system that's part of Ascension Health.
In a statement recently posted on its website, the healthcare provider says it learned on Dec. 3, 2014, that an employee's email account user name and password had been compromised as a result of a phishing scheme.
"St. Vincent Medical Group immediately shut down the user name and password of the impacted account and launched an investigation into the matter," the statement says. "The investigation has required electronic and manual review of affected emails to determine the scope of the incident. Through the ongoing investigation of this matter, we determined on March 12, 2015, that the employee email account subject to the phishing contained some personal health information for approximately 760 patients."
The protected health information in the affected email account included patient names, dates of birth, phone numbers, account numbers, limited clinical information related to services the patient received and, in some cases, Social Security numbers, the statement says. "The hackers did not gain access to individual medical records or billing record," it adds.
The incident is listed on the Department of Health and Human Services' "wall of shame" of health data breaches affecting 500 or more individuals.
In the wake of the phishing attack at St. Vincent Medical Group, the organization says it will provide additional education to employees regarding phishing. Plus it's working with its email service provider to evaluate ways to enhance its security. The healthcare provider is also offering free identity monitoring and protection services to those whose Social Security numbers were exposed.
Boom in Phishing?
Some healthcare security executives say they've seen an uptick in the volume of phishing schemes directed at their organizations' employees.
For example, over the last six months, the University of Vermont Medical Center has seen a spike in phishing attempts, including those "laced with malware in an attempt to steal credentials," says CISO Heather Roszkowski in a recent interview with Information Security Media Group.
"I've really been trying to increase user awareness training around phishing to avoid those credentials from being exploited," she says. This extra vigilance in defense of phishing comes in the wake of a few large hacking attacks in the healthcare sector, including those affecting Anthem Inc. and Premera Blue Cross in recent months, and Community Health System last summer.
Some security experts speculate that spear-phishing attacks may have led to the hacking attacks against Anthem and Premera, which in total affected nearly 90 million individuals (see Anthem Breach: Phishing Attack Cited).
Also, of course, it's just not the healthcare sector that's been victim to breaches involving phishing. A growing number of cyber-attacks, including a 2014 breach at JPMorgan Chase affecting 76 million households and 7 million small businesses, have apparently originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, says Dave Jevans, co-founder of the Anti-Phishing Working Group, in a recent interview with Information Security Media Group.
As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.
Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to help thwart the impact of an employee's credentials that are compromised, Jevans advises.
In fact, that is a step that Roszkowski is taking at her organization to combat the spike in phishing attacks and other external threats. The medical center is implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," she says.
But it's also important to remember the human element in the battle against external threats, says Dan Berger, CEO of consulting firm Redspin. "You've got to be training your people so that they're not susceptible to phishing or social engineering type of attacks," he says in a recent interview.
In addition to the phishing incident, St. Vincent Medical Group has reported two other data breaches in recent years. Last July, it reported that a clerical error at its breast care center led to the mailing of 63,000 letters containing personal health information to the wrong recipients (see PHI Exposed In Mailing Error).
And in 2010, St. Vincent Hospital and Health Care Center, another unit, reported a breach impacting 1,199 individuals involving the theft of an unencrypted laptop computer, according to the HHS breach website.
St. Vincent Medical Group declined to comment on the recent phishing incident.