A phishing attack on Palmetto Health, which is now called Prisma Health, allowed unauthorized persons to access several email accounts.
Palmetto Health employees received email messages that have a malicious hyperlink. When the employees clicked the link, they were directed to an imitation web page, which asked them to input their email credentials. After which, the attackers were able to access the employees’ email accounts using their credentials.
A third-party computer forensics company investigated the breach to identify its nature and scope of access and to know if the attackers accessed or acquired any patients’ protected health information (PHI).
The forensics company confirmed that the attackers first accessed the email accounts in November 2018. The manual review of the emails to see if they contained patients’ PHI took some time to finish. It ended on February 19, 2019 and it confirmed that the PHI of 23,811 patients were exposed.
There was only a limited information exposed which included the names and data that Palmetto Health used when treating or consulting with patients. There was also health insurance details, Social Security numbers, and/or financial data contained in a small portion of the emails.
Palmetto Health is convinced that the attackers intended to access payroll data and not patient health data. No evidence was found to indicate access or duplication of any patient information, however it is possible that there was data theft. Thus, Palmetto Health offered free credit monitoring and identity theft protection services to patients whose financial data was potentially compromised.
Earnest Health, which encountered a PHIshing attack in October 2018 also notified some patients who went to the Weslaco Regional Rehabilitation Hospital located in Texas about the exposure of some of their PHI. The patients’ exposed information included their names, birth dates, health insurance information, patient care data, Social Security numbers and driver’s license numbers.
The hospital mailed notification letters to all affected patients and offered free credit monitoring and identity theft protection services to all patients who had their Social Security number or driver’s license number exposed. The hospital employees were given more training on identifying potentially malicious emails.
The HHS’ Office for Civil Rights has not yet listed the incident on its breach portal, so there is no information yet on the exact number of patients affected.