It has been revealed that the Medical College of Wisconsin (MCW) suffered a security breach that compromised the confidential medical information of 9,500 patients. The targeted attack affected MCW’s email system in July but was only publicly announced in November.
Upon discovery, “MCW promptly disabled the impacted email accounts, required password changes to the compromised accounts, maintained heightened monitoring of the accounts and commenced an investigation,” said a statement from the organization.
An investigation that ended in September discovered that a “small number of faculty and staff were victims of a spear phishing attack.” It also found that the phishing attack occurred between July 21 and 28 but could not determine whether any of the compromised data was accessed or improperly used.
The MCW statement continued:
The compromised email accounts at issue contained either one or more of the following: patients’ names, home addresses, dates of birth, medical record numbers, health insurance information, date(s) of service, surgical information, diagnosis/condition, and/or treatment information. Social Security numbers and bank account information for a very small number of patients were also contained within the affected email accounts.
MCW is committed to maintaining the privacy of patient information and continually evaluating and modifying its practices and procedures to enhance appropriate security and privacy measures to prevent recurrence of this incident, including conducting ongoing cyber awareness training for its workforce and regularly updating its system security and firewalls.
Those affected by the breach have been informed. At this stage, MCW is not aware of any reports of suspicious activity or identity fraud but is advising those affected to remain vigilant and carefully review health insurance statements. For those whose Social Security numbers were affected, credit monitoring and identity services have been provided.
The most important line of defense against a phishing attack is the person who receives the email. If your staff can identify and correctly respond to a malicious email, the danger can be mitigated. With phishing attacks on the increase, particularly in the healthcare sector, this only highlights the importance of training staff.
Educate your staff
No matter how effective your spam filter is, a spoof email could bypass it, making your staff the last line of defense against fraud. It is therefore vital that they are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training with minimal disruption.
Our Phishing Staff Awareness Course gives staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.