Spam News

Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings

Posted by HIPAA Journal

Choice Cancer Care Treatment Center (CCCT), a network of cancer care centers in Texas, has discovered the protected health information of some of its patients has potentially been accessed by unauthorized individuals as a result of a phishing attack in May 2019.

Suspicious activity in the email account of an employee was detected on May 21, 2019. The subsequent investigation confirmed that the account had been accessed by an unauthorized individual between May 1st and May 21st, 2019. The email account was immediately secured, and a third-party digital forensic firm was engaged to conduct a thorough investigation.

An analysis of CCCT systems confirmed that the breach was confined to the email system and only one email account had been subjected to unauthorized access. A programmatic and manual review of all emails and email attachments in the account revealed the protected health information of certain patients had been exposed. The review was completed on September 18, 2019. CCCT then reviewed all affected records and confirmed the contact information for all individuals affected. Breach notifications were sent to affected individuals in November. Individuals affected by the breach have been offered complimentary credit monitoring and identity theft protection services.

The breach was mostly limited to names, medical information and health insurance information. A very small number of patients also had their Social Security number, driver’s license number, passport number, and/or credit card number exposed.

It was not possible to determine whether the attacker viewed or acquired any patient health information. No reports have been received to suggest there has been any actual or attempted misuse of patient information.

CCCT has reviewed its data security policies and procedures and further training has been provided to employees on data privacy and security.

CAH Holdings Reports Phishing Attack Impacting Several Employee Email Accounts

CAH Holdings Inc., an independent insurance agency that provides regional insurance and risk management services, has discovered the email accounts of several employees have been accessed by unauthorized individuals.

CAH Holdings has not publicly disclosed when the breach occurred nor when it was detected, only stating that a review of the affected employee email accounts was completed on September 16, 2019. That review confirmed that billing related information had potentially been compromised, including names and Social Security numbers and some or all of the following data elements: Date of birth, address, health insurance number, driver’s license number, diagnosis, and treatment plan. That information had been provided to CAH holdings by insurance companies and employers.

A third-party computer forensics firm assisted with the review of the compromised accounts, but it was not possible to determine whether any emails or email attachments had been opened or copied by the attackers.

The breach has prompted CAH Holdings to implement multi-factor authentication on its Office 365 email accounts, and anti-spam controls have also been augmented. CAH Holdings has also hired a Chief Information Security Officer (CISO) who will be performing a thorough review of its security protocols. Additional security measures will be implemented, as appropriate, based on the findings of that review.

No evidence of misuse of sensitive information has been uncovered but, as a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. Affected individuals are also covered by a $1 million insurance reimbursement policy.

The post Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings appeared first on HIPAA Journal.

Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients

Posted by HIPAA Journal

InterMed, one of the largest healthcare providers in Southern Maine, has discovered information on up to 30,000 patients has potentially been accessed by an unauthorized individual as a result of a recent email security breach.

On September 6, 2019, InterMed discovered an employee’s email account had been accessed by a third-party without authorization. An independent investigation into the breach revealed the account was compromised on September 4 and a further three employee email accounts were also found to have been compromised between September 7 and September 10, 2019.

Emails and attachments in the compromised accounts contained patient information such as names, dates of birth, clinical information, and health insurance information, and for 155 individuals, Social Security numbers. The breach was limited to email accounts. The electronic medical record system was not accessed. It was not possible to determine whether emails in the account were actually viewed.

The compromised email accounts were immediately secured, and affected patients were notified about the breach on November 5. Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services. InterMed has said “we are enhancing our adherence to email best practices,” and strengthening security to protect against further attacks.

Sweetser Breach Impacts 22,000 Current and Former Clients

Another Maine healthcare organization has also recently announced an email system breach. Sweetser, a Saco, ME-based provider of mental health services, discovered a potential email account breach on June 24, 2019 when suspicious activity was identified in the account. Assisted by a digital forensics company, the breach was confirmed as affecting other employee email accounts, which were accessed by an unauthorized individual between June 18 and June 27, 2019.

Sweetser said it was informed on September 10, 2019 that one or more of the compromised email accounts contained patient information. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on September 13, 2019 as affecting 22,000 patients. Sweetser announced the breach and started sending patient notification letters on October 25, 2019.

The types of information in the email accounts varied from patient to patient and may have included names, addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, identification numbers, drivers license numbers, Medicare/Medicaid information, payment/claims information, diagnosis codes, and information on patients’ medical conditions and treatments.

Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services.

The post Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients appeared first on HIPAA Journal.

Common Office 365 Mistakes Made by Healthcare Organizations

Posted by HIPAA Journal

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

The post Common Office 365 Mistakes Made by Healthcare Organizations appeared first on HIPAA Journal.

Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients

Posted by HIPAA Journal

Utah Valley Eye Center in Provo, UT is warning patients that some of their personal information may have been accessed by an unauthorized individual following a security breach of its scheduling reminder portal on June 28, 2018.

The hacker obtained the email addresses of 5,764 patients and sent each a phishing email in an attempt to gain access to PayPal credentials. The emails spoofed PayPal and advised the recipients that they had received a payment.

Upon discovery of the security breach, Utah Valley Eye Center contacted all individuals who had been emailed to warn them about the security breach. No evidence has been uncovered to suggest any other information was accessed or misused, although the hacker would have had access to patient names, addresses, phone numbers, and dates of birth. No personal health or financial information is believed to have been accessed.

Only 5,764 phishing emails were sent, but Utah Valley Eye Center could not determine exactly how many patients had been affected by the breach. According to a recent press release, the demographic information of up to 20,000 patients may have been compromised, according to a recent report in the Daily Herald.

The incident has been reported to the Utah Department of Health, the Utah Department of Human Services, and the HHS. Affected individuals have been advised to place a fraud alert on their credit files as a precaution against misuse of their information.

It is currently unclear when the breach was discovered and why it has taken until now for a press release to be issued about the security breach.

The post Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients appeared first on HIPAA Journal.

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

Posted by HIPAA Journal

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information.

The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019.

It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access.

An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information, medical history, and treatment information may have been compromised.

All affected patients have been offered complimentary credit monitoring and identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,407 patients were impacted by the breach.

Hunt Regional Healthcare Victim of Cyberattack

Greenville, TX-based Hunt Regional Healthcare has announced it experienced a cyberattack on May 14, 2019 in which hackers gained access to its computer network and the protected health information of certain patients.

The attackers potentially accessed files containing patient names, telephone numbers, dates of birth, Social Security numbers, race, and religious preferences. The incident has been reported to the FBI and Hunt Regional Healthcare is assisting in the investigation.

Hunt Regional Healthcare has said no evidence of unauthorized data access or data theft have been discovered, but patients are being notified as a precaution and are being offered free access to IDExperts credit monitoring and identity theft protection services.

It is currently unclear how many patients have been affected by the breach.

The post 21,400 Patients Impacted by St. Croix Hospice Phishing Attack appeared first on HIPAA Journal.