The gastroenterology healthcare provider based in Bradenton, FL called Florida Digestive Health Specialists (FDHS) has lately begun informing over 212,000 patients regarding the exposure of some of their protected health information (PHI) in a cyberattack in December 2020.
Attorney Jason M. Schwent of Clark Hill sent breach notification letters to impacted persons on December 27, 2021. The letters mentioned that suspicious activity was discovered in the email account of an employee on December 16, 2020, and an unauthorized person sent email messages using that account.
This sort of attack, a business email compromise attack, involves an attacker who gets access to an internal email account, normally through a phishing email, and then uses the account to impersonate the worker and convince other persons to perform bogus wire transfers. In this instance, on December 21, 2020, FDHS identified a fraudulent fund transfer to an unidentified bank account.
FDHS hired the expert services of Clark Hill and a third-party cybersecurity company to look into the cyberattack. The investigation affirmed that unauthorized individuals had accessed some employee email accounts. Those email accounts were identified as “voluminous” and included the personal data and protected health information (PHI) of 212,509 individuals. In this type of attack, the goal of the attack is to get payments by means of fake wire transfers instead of acquiring patient information; nevertheless, data theft cannot be excluded.
The amount of information found in the breached email accounts was given as a rationale for the 12-month delay in sending notification letters to impacted patients. FDHS stated the analysis of the email accounts took a long time and just ended on November 19, 2021.
Because of the breach, a number of changes had been done to its IT systems to enhance security. The safety measures comprise of a password reset throughout its IT system, setup of multifactor authentication, fortifying password standards, and re-setting of its firewall.
Impacted persons were given free credit monitoring and identity theft protection services for 12 months.