Spam News

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.

There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.

The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.

These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.

Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.

Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.

As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.

The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.

The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.

Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).

They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.

When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.

Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.

Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.

Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.

The post Microsoft Issues Advice on Defending Against Spear Phishing Attacks appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attacks at Highest Level Since 2016

According to the Q3, 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group, phishing attacks are now occurring at a rate not seen since 2016.

266,387 unique phishing sites were detected in Q3, 2019, an increase of 46% from Q2, 2019. Almost twice the number of phishing sites were detected in Q3, 2019 than in the last quarter of 2018.

APWG received data on 277,693 unique phishing campaigns from its members. That is the highest number of detected phishing campaigns since Q4, 2016. APWG also collates information from phishing attacks reported by consumers and the general public. 122,359 unique reports were received from the public in Q3, 2019, up 9.09% from Q2.

The phishing campaigns detected in Q3, 2019 impersonated more than 400 different companies, up from 313 in Q2, 2019. The types of company most commonly impersonated in the attacks are webmail and software-as-a-service providers. The main aim of the attacks on these firms is to obtain credentials that can be used to gain access to corporate email and SaaS accounts. The targets of attacks are largely unchanged from previous quarters.

Many attacks are focused on obtaining Office 365 credentials. Stolen Office 365 credentials are extremely valuable to Business Email Compromise (BEC) scammers. Once access is gained to a corporate email account, it is used to send further phishing emails to other individuals in the breached organization. The aim of many attacks is to gain access to the CEO’s email account or the account of another executive. Those accounts are then used to send emails to individuals with access to corporate bank accounts to request wire transfers and payroll changes.

While CEO fraud is still common, there has been a shift in tactics and vendors and suppliers are now being targeted much more often. The potential returns from a CEO fraud scam are higher, but attacks on vendors and suppliers can be more lucrative. One vendor or supplier account compromise allows the attacker to target all of their customers.

The attackers often spend a considerable amount of time gathering information on potential targets before the BEC attacks commence. During the research phase, rules are often set up to forward all emails sent to and from the compromised email accounts to the attackers. The attackers learn about potential targets, typical invoice amounts, and normal payment dates to maximize the chance of success. Following an email account compromise, it can be several weeks or months before the account is used for BEC attacks

Another growing trend is a shift from wire transfer requests to gift card scams. Wire transfer requests in Q3, 2019 ranged from $2,530 to $850,790. The average payment was $52,325 and the median payment was $24,958. The average gift card scam was for $1,571, with scams requesting between $200 and $8,000.

The returns from gift card scams may be lower, but it is much easier for the scammers to cash out and they offer greater anonymity. Fraudulent bank transfers are often questioned, payments can be reversed, and money mules are required. In Q3, 2019, 56% of all BEC attacks involved gift cards, 25% involved payroll diversion, and 19% involved direct bank transfers.

In Q3, SaaS and webmail accounted for 33% of attacks, followed by the payment industry (e.g PayPal) with 21% of attacks, and financial institutions (19%). Attacks on cloud storage and file hosting sites were far less popular.

An increasing number of companies have switched from HTTP to HTTPS and consumers are now much more likely to check that a website starts with HTTPS before disclosing any sensitive information such as login credentials. Cybercriminals have had to follow suit. In Q3, 68% of phishing sites were hosted on HTTPS, up from 54% in Q2, 2019.

The post Phishing Attacks at Highest Level Since 2016 appeared first on HIPAA Journal.

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

The post IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records appeared first on HIPAA Journal.

Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings

Choice Cancer Care Treatment Center (CCCT), a network of cancer care centers in Texas, has discovered the protected health information of some of its patients has potentially been accessed by unauthorized individuals as a result of a phishing attack in May 2019.

Suspicious activity in the email account of an employee was detected on May 21, 2019. The subsequent investigation confirmed that the account had been accessed by an unauthorized individual between May 1st and May 21st, 2019. The email account was immediately secured, and a third-party digital forensic firm was engaged to conduct a thorough investigation.

An analysis of CCCT systems confirmed that the breach was confined to the email system and only one email account had been subjected to unauthorized access. A programmatic and manual review of all emails and email attachments in the account revealed the protected health information of certain patients had been exposed. The review was completed on September 18, 2019. CCCT then reviewed all affected records and confirmed the contact information for all individuals affected. Breach notifications were sent to affected individuals in November. Individuals affected by the breach have been offered complimentary credit monitoring and identity theft protection services.

The breach was mostly limited to names, medical information and health insurance information. A very small number of patients also had their Social Security number, driver’s license number, passport number, and/or credit card number exposed.

It was not possible to determine whether the attacker viewed or acquired any patient health information. No reports have been received to suggest there has been any actual or attempted misuse of patient information.

CCCT has reviewed its data security policies and procedures and further training has been provided to employees on data privacy and security.

CAH Holdings Reports Phishing Attack Impacting Several Employee Email Accounts

CAH Holdings Inc., an independent insurance agency that provides regional insurance and risk management services, has discovered the email accounts of several employees have been accessed by unauthorized individuals.

CAH Holdings has not publicly disclosed when the breach occurred nor when it was detected, only stating that a review of the affected employee email accounts was completed on September 16, 2019. That review confirmed that billing related information had potentially been compromised, including names and Social Security numbers and some or all of the following data elements: Date of birth, address, health insurance number, driver’s license number, diagnosis, and treatment plan. That information had been provided to CAH holdings by insurance companies and employers.

A third-party computer forensics firm assisted with the review of the compromised accounts, but it was not possible to determine whether any emails or email attachments had been opened or copied by the attackers.

The breach has prompted CAH Holdings to implement multi-factor authentication on its Office 365 email accounts, and anti-spam controls have also been augmented. CAH Holdings has also hired a Chief Information Security Officer (CISO) who will be performing a thorough review of its security protocols. Additional security measures will be implemented, as appropriate, based on the findings of that review.

No evidence of misuse of sensitive information has been uncovered but, as a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. Affected individuals are also covered by a $1 million insurance reimbursement policy.

The post Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings appeared first on HIPAA Journal.

Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients

InterMed, one of the largest healthcare providers in Southern Maine, has discovered information on up to 30,000 patients has potentially been accessed by an unauthorized individual as a result of a recent email security breach.

On September 6, 2019, InterMed discovered an employee’s email account had been accessed by a third-party without authorization. An independent investigation into the breach revealed the account was compromised on September 4 and a further three employee email accounts were also found to have been compromised between September 7 and September 10, 2019.

Emails and attachments in the compromised accounts contained patient information such as names, dates of birth, clinical information, and health insurance information, and for 155 individuals, Social Security numbers. The breach was limited to email accounts. The electronic medical record system was not accessed. It was not possible to determine whether emails in the account were actually viewed.

The compromised email accounts were immediately secured, and affected patients were notified about the breach on November 5. Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services. InterMed has said “we are enhancing our adherence to email best practices,” and strengthening security to protect against further attacks.

Sweetser Breach Impacts 22,000 Current and Former Clients

Another Maine healthcare organization has also recently announced an email system breach. Sweetser, a Saco, ME-based provider of mental health services, discovered a potential email account breach on June 24, 2019 when suspicious activity was identified in the account. Assisted by a digital forensics company, the breach was confirmed as affecting other employee email accounts, which were accessed by an unauthorized individual between June 18 and June 27, 2019.

Sweetser said it was informed on September 10, 2019 that one or more of the compromised email accounts contained patient information. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on September 13, 2019 as affecting 22,000 patients. Sweetser announced the breach and started sending patient notification letters on October 25, 2019.

The types of information in the email accounts varied from patient to patient and may have included names, addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, identification numbers, drivers license numbers, Medicare/Medicaid information, payment/claims information, diagnosis codes, and information on patients’ medical conditions and treatments.

Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services.

The post Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients appeared first on HIPAA Journal.

Common Office 365 Mistakes Made by Healthcare Organizations

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

The post Common Office 365 Mistakes Made by Healthcare Organizations appeared first on HIPAA Journal.

Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients

Utah Valley Eye Center in Provo, UT is warning patients that some of their personal information may have been accessed by an unauthorized individual following a security breach of its scheduling reminder portal on June 28, 2018.

The hacker obtained the email addresses of 5,764 patients and sent each a phishing email in an attempt to gain access to PayPal credentials. The emails spoofed PayPal and advised the recipients that they had received a payment.

Upon discovery of the security breach, Utah Valley Eye Center contacted all individuals who had been emailed to warn them about the security breach. No evidence has been uncovered to suggest any other information was accessed or misused, although the hacker would have had access to patient names, addresses, phone numbers, and dates of birth. No personal health or financial information is believed to have been accessed.

Only 5,764 phishing emails were sent, but Utah Valley Eye Center could not determine exactly how many patients had been affected by the breach. According to a recent press release, the demographic information of up to 20,000 patients may have been compromised, according to a recent report in the Daily Herald.

The incident has been reported to the Utah Department of Health, the Utah Department of Human Services, and the HHS. Affected individuals have been advised to place a fraud alert on their credit files as a precaution against misuse of their information.

It is currently unclear when the breach was discovered and why it has taken until now for a press release to be issued about the security breach.

The post Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients appeared first on HIPAA Journal.

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information.

The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019.

It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access.

An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information, medical history, and treatment information may have been compromised.

All affected patients have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,407 patients were impacted by the breach.

Hunt Regional Healthcare Victim of Cyberattack

Greenville, TX-based Hunt Regional Healthcare has announced it experienced a cyberattack on May 14, 2019 in which hackers gained access to its computer network and the protected health information of certain patients.

The attackers potentially accessed files containing patient names, telephone numbers, dates of birth, Social Security numbers, race, and religious preferences. The incident has been reported to the FBI and Hunt Regional Healthcare is assisting in the investigation.

Hunt Regional Healthcare has said no evidence of unauthorized data access or data theft have been discovered, but patients are being notified as a precaution and are being offered free access to IDExperts credit monitoring and identity theft protection services.

It is currently unclear how many patients have been affected by the breach.

The post 21,400 Patients Impacted by St. Croix Hospice Phishing Attack appeared first on HIPAA Journal.