It has been reported that Bronson Healthcare Group fell victim to a phishing scam in June 2017. An employee opened a malicious email that subsequently gave the attackers access to their email account, as well as to other employees’ accounts. One of the email accounts contained information of more than 8,000 patients.
The incident was not discovered until November 9, and all those potentially affected were notified in early December, as were the relevant authorities.
Upon discovery, action was taken to secure the compromised email accounts and an investigation was launched. Affected data included names, addresses, dates of birth, treatments, results, and in some cases insurance information and Social Security numbers.
The investigation was unable to establish whether the patient information was inappropriately accessed or misused. According to Chris Sangalli, vice president and chief compliance officer for Bronson, the group “installed some new employee software in June and we know that the target was employee payroll information. The target was not to receive patient information.”
As a precautionary measure, Bronson has advised those potentially affected to take steps to protect themselves, such as reviewing their financial accounts, as well as introduced additional measures to further protect patient information. It is also reviewing its security practices.
The most important line of defense against a phishing attack is the person who receives the email. If your staff are able to identify and correctly respond to a malicious email, the danger can be mitigated.
With phishing attacks on the increase, particularly in the healthcare sector, this example highlights the importance of training staff.
Educate your staff
No matter how effective your spam filter is, a spoof email could bypass it, making your staff the last line of defense against fraud. It is therefore vital that they are aware of the risks of phishing emails. In order to raise awareness of phishing cost-effectively and with minimal disruption, e-learning courses are often the preferred method.
Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.
In order to determine how vulnerable your organization is to the threat of phishing, consider running a Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns.