The incident was identified on December 2, 2017, and the passwords for the compromised email accounts were promptly reset.
Separate email accounts were also affected on December 15 and 16, and again the passwords were reset. Additional unauthorized access occurred to another email account on January 3, 2018.
An investigation later revealed that four of the five affected email mailboxes were downloaded by unauthorized individuals.
Affected data included patient names, medical record numbers, dates of medical treatment, diagnoses, and other medical information.
The hospital identified 63,049 individuals that were potentially affected, which includes a subset of patients. The information involved varied. Because the email accounts had a large amount of data that had to be evaluated, we have notified individuals in groups as we progressed through the process. The hospital has taken and continues to take steps to protect against any further incidents. These steps have included the implementation of the additional technical control of multi-factor authentication.
Complimentary credit monitoring services have been provided for those affected by the incident.
With phishing attacks on the increase, particularly in the healthcare sector because of the large volume of personal data that organizations hold, this example highlights the importance of staff training.
The most important line of defense against a phishing attack is the email recipient. If your staff are able to identify and correctly respond to a malicious email, the danger can be mitigated.
Increase phishing awareness
Our Phishing Staff Awareness Course gives your staff an introduction to phishing scams, and helps reduce the chance that an employee will hand over confidential information, or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.
To determine how vulnerable your organization is to the threat of phishing, consider running a Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns.