A North Carolina medical center has announced that a phishing attack on its systems has resulted in the protected health information (PHI) of up to 20,000 being compromised.
Catawba Valley Medical Center (CVMC), based in Hickory, North Carolina, announced that an unauthorised individual gained access to their systems. The breach was discovered on August 13, 2018, but it was later discovered that the hacker had access to the system between July 4 and August 17, 2018. Immediately after the discovery of the breach, steps were taken to secure the system and revoke the hacker’s unauthorised access. A third-party forensics firm was brought in to assist with the aftermath of the attack. In collaboration with this third-party firm, an investigation was launched to discover the cause of the breach.
The investigators concluded that the hackers gained access to the accounts after three employees responded to phishing emails. Phishing is a form of fraud in which the criminal attempts to obtain sensitive information by pretending to be a trustworthy entity. These types of attacks are most commonly made over email. The emails are often easy to mistake for legitimate emails; they will have logos of actual organisations, and use convincing formatting and language. As these types of attacks become more sophisticated, it is becoming increasingly difficult to train staff in spotting them.
Investigators searched through the affected email accounts in an attempt to determine what types of information the hacker may have had access to during the breach, and how many people may have been affected. Among the emails on the accounts included emails with attachments that contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers.
Due to the sensitive nature of the information that may have been accessed by the hacker, the patients affected by the breach are considered to be at high risk of being victims of identity fraud. However, investigators could not find any evidence to suggest that any emails had been accessed or copied by the hackers. Furthermore, there has been no indication that any of the patient health information has been used for nefarious purposes.
Although there no evidence of wrongdoing at the moment, all patients affected by the breach are recommended to carefully review all of the statements they receive from their insurance carrier. In particular, they should be wary of being billed for services which they haven’t received.
In accordance with HIPAA’s Breach Notification Rule, all patients who were affected by the breach and may have had their protected health information (PHI) compromised were notified by CVMC on October 12, 2018. The organisation even created a dedicated call center to handle patient enquiries and concerns regarding their data. A breach summary was posted on the Department of Health and Human Service’s Office for Civil Rights’ breach portal due to the large number of patients affected by the breach.
The phishing incidents have prompted CVMC to hire security experts to educate their employees on the dangers of phishing attacks and best practices on how to prevent them. They have also updated their security systems to a new, more robust email security system. The organisation is also looking into improving the general technical, physical, and administrative safeguards that protects their PHI to ensure that they are fully up to the standards outlined by HIPAA’s Security Rule.
The Catawba Valley Medical Center breach is one of many attacks on healthcare providers in recent years. Medical organisations are particularly lucrative targets for cybercriminals, due to the high black-market value of medical information. They also make for particularly easy pickings; robust and comprehensive security systems are often expensive and difficult to implement, and already overworked and under-funded healthcare organisations struggle to cope. However, the financial penalties for not having security systems that are up to HIPAA’s standards are also severe, so while the initial investment may be costly, it is better in the long term, both for patients and the organisation alike.