[BreachExchange] Phishing Attack Impacts Health Data of 128K Employees, Patients

[Destry Winant]

https://healthitsecurity.com/news/phishing-attack-impacts-health-data-of-128k-employees-patients

New York Oncology Hematology is notifying 128,400 employees and
patients that their patient data may have been breached, after 15
employees fell victim to a phishing campaign in April.

The phishing emails were highly targeted, appearing as a legitimate
email login page, which duped employees into entering their login
credentials, according to officials. The hackers harvested the
credentials to gain access to the email accounts for a few hours
before access was terminated by the IT vendor.

After the phishing attacks were identified, officials stopped access
by resetting the passwords on the impacted emails. The IT vendor
notified NYOH of the breaches, and officials launched their incident
response protocol.

Officials hired a forensic firm to review the email accounts and found
access occurred April 20, where a hacker had access to 14 separate
email accounts. A second hack occurred between April 21 and 27 on an
additional account.

Investigators found more than one of the impacted accounts contained
protected health data and other personal information on patients and
employees. The impacted emails contained names, email addresses, home
addresses, insurance details, medical data like test results,
diagnostic codes, account numbers and service dates.

For some, Social Security numbers and driver’s license numbers were
included. Officials are notifying all employees and patients out of an
abundance of caution. Any patients who joined NYOH after April 28,
2018 are not included in the breach.

The investigation concluded on October 1, which could explain the
delayed breach notification. Under HIPAA, providers must notify
patients, the Department of Health and Human Services and the public
within 60 days after the breach was discovered.

All impacted employees and patients have been sent notification
letters and will be provided a year of free credit monitoring.

The NYOH breach follows the year-long trend of hackers ramping up the
sophistication of phishing attacks and malware. Security researchers
have warned healthcare will continue to be targeted, and it will only
get worse.

In fact, the Minnesota Department of Human Services suffered a similar
fate in June and July, when multiple employees fell victim to targeted
spear-phishing campaigns. During the hearing, officials noted they’d
experienced more than 1,600 phishing emails targeting government
employees.