[BreachExchange] Phishing Attacks Breach Data of 42K Florida Patients for 3 Months

Destry Winant destry at riskbasedsecurity.com
Fri Nov 16 10:35:40 EST 2018 

https://healthitsecurity.com/news/phishing-attacks-breach-data-of-42k-florida-patients-for-3-months

Florida-based Health First notified 42,000 patients that their
personal data may have been exposed for three months after several
employees fell victim to phishing attacks.

The breach was reported to the Department of Health and Human Services
in October. DataBreaches.net was able to obtain further details, which
found several employee email accounts were hacked by phishing scams
between February and May 2018.

Once the cyberattacks were discovered, officials blocked access to the
impacted accounts and changed the passwords. Health First has since
implemented new security measures.

According to officials, the investigation found a limited number of
emails were viewed. Furthermore, the hack appeared to focus on the
phishing scam itself rather than obtaining personal data. But the
accounts did contain protected health information and those patients
have been notified of the breach.

The hack compromised some patient data and gave the cybercriminals
access to these accounts for a limited period. Officials did not
explain when they first discovered the attack, nor why it took until
October to report the breach to HHS. Health First did not respond to a
request for comment by time of publication.

Health First is just one of many healthcare organizations this year to
report a breach that went undetected for several months.

Just last month, North Carolina-based Catawba Valley reported that
while officials were investigating a phishing attack in August, they
discovered a hacker had access to three email accounts for more than a
month. A similar attack on Gold Coast Health plan breached 37,000
patient records for a month.

In fact, the Minnesota Department of Human Services was recently under
fire by state officials for a breach of 21,000 patient records that
went undetected for more than a month. An Octoberhearing outlined the
crux of the issue: limited resources and a lack of security talent to
“perform deep analysis.”

These security incidents serve as a critical reminder of the need for
better network monitoring and access management to better detect
suspicious activity.

More information about the BreachExchange mailing list