Onco360 and CareMed Specialty Pharmacy have suffered a data breach affecting 53,173 patients. Suspicious activity on an employee’s email account was detected on November 14, 2017. An investigation was launched, and by November 30 “the forensic investigation determined that an unauthorized user appeared to have gained access to email accounts of three employees.”
The compromised email accounts included patient demographics, medication, clinical information, health insurance details, Social Security numbers, and, in some instances, financial data. Those affected by the breach have been informed, as have the relevant authorities.
Onco360 and CareMed Specialty Pharmacy responded promptly: upon discovery of the breach they changed the passwords for the affected accounts, provided additional training, and implemented extra email security measures.
It is not known how the perpetrator gained access to the email accounts. However, the breach notice implies that at least one employee clicked a malicious link in a phishing email, as the organizations are “providing additional training to employees on recognizing suspicious emails.”
It has not been confirmed whether any of the compromised data has been used inappropriately, although affected patients are advised to check their credit reports for suspicious activity. Complimentary credit monitoring services have also been provided.
With phishing attacks on the increase, particularly in the healthcare sector because of the volume of personal data that organizations hold, this example highlights the importance of training staff.
The most important line of defense against a phishing attack is the person who receives the email. If your staff are able to identify and correctly respond to a malicious email, the danger can be mitigated.
Increase staff awareness
Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information, or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.
In order to determine how vulnerable your organization is to the threat of phishing, consider running a Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns.