Woman using a microscope

Healthcare phishing attack leads to biggest breach of 2018

Phishing attacks are a major threat to the healthcare industry and U.S. businesses more generally. The 2018 Verizon data breach report revealed that phishing attacks are not only prominent, they’re also on the rise, with 43% of data breaches stemming from such incidents.

Not only are these types of attacks costly in the literal sense – the average cost of a data breach is reported to be $408 per record, almost 3 times the cross-industry average – they can also lead to significant reputational damage. Just ask UnityPoint Health, one of the latest examples of a healthcare organization to fall victim to a phishing attack targeted at its employees.

The attack, which was discovered on May 31, potentially compromized the PHI of 1.4 million patients, making it the biggest healthcare data breach of 2018 by some distance, eclipsing CA Department of Developmental Services’ previous yearly high of 582,000. This is a record no company wants to hold, but serves as a reminder that no organization is immune from a data breach, and that no matter how big a data breach may be, there’s always a bigger breach around the corner.

A forensic investigation into the UnityPoint Health breach revealed multiple email accounts had been compromised between March 14 and April 3, 2018, and as is the case with most breaches of this kind, it stemmed from employees being tricked into handing over sensitive information via email. In this instance, it appears that the attackers spoofed a company executive’s email account and sent emails to employees asking them to disclose email credentials – and they took the bait. The investigation suggested the primary purpose of the attack was to divert payments to the attackers’ bank accounts.

While there’s no reason to suggest the attackers were intending to gain access to sensitive health data during the breach, and there have been no reported incidents of PHI misuse to date, the email accounts that were compromised contained large amounts of patient PHI, that could have potentially been accessed by the criminals. This included patient names, birth dates, addresses, medical record numbers, diagnosis and treatment information, test results, insurance information, surgical information and Social Security numbers amongst other things, along with credit card numbers in some cases.

Phishing attacks on healthcare organizations are typically implemented with the intention of gaining direct access to PHI, or to deploy ransomware, both of which can result in significant financial gain for attackers. So long as PHI commands a high value on the black market, and while ransomware victims continue to pay ransom to their attackers, healthcare will continue to be exploited.

It is therefore critical that organizations tackle the threats head-on by training employees to recognise and report suspicious looking messages, and eliminate non-secure channels such as email from their workflows when exchanging PHI with colleagues.

Contact DocbookMD today for a free trial and start communicating securely.